nanocore | da277087425deecdf94e54b44bdf2df5042d4a65cc97b2b958876d528b2b850e

Analysis

max time kernel
34s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2025, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe
Size

1.3MB
MD5

5a42731e84f6264b40a9fc8d5f527a0e
SHA1

c9cd62e51d2ed4feb92582b88a9f9b25b890c3ca
SHA256

da277087425deecdf94e54b44bdf2df5042d4a65cc97b2b958876d528b2b850e
SHA512

77972bd5a3c99922dd6aa25cebb0d5252280228864a3d8763bb40c67257f5d6bdfc31d67c697c28b528b9a7eeaab5aad8f99c481ab288aa99f9949d839daa230
SSDEEP

24576:6NA3R5drXvd+CPORdlivNuFrNT2P9Z0+4sHVu1h6LId7nT1RMwaMm3CfBomuaSh:z5FdcD2P9Zzrc1h6LIdzTXM76fBo3aK

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

marinjack44.ddns.net:63480

127.0.0.1:63480

Mutex

d9905d9b-af01-48cd-858a-13e2bac55a68

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-05-25T01:16:24.038793536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
63480
default_group
BOSS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d9905d9b-af01-48cd-858a-13e2bac55a68
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
marinjack44.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	mheqtrmhp.exe

Executes dropped EXE 38 IoCs

pid	Process
2580	mheqtrmhp.exe
3592	mheqtrmhp.exe
2864	mheqtrmhp.exe
216	mheqtrmhp.exe
1320	mheqtrmhp.exe
2360	mheqtrmhp.exe
4160	mheqtrmhp.exe
4152	mheqtrmhp.exe
5220	mheqtrmhp.exe
5324	mheqtrmhp.exe
5300	mheqtrmhp.exe
5404	mheqtrmhp.exe
5432	mheqtrmhp.exe
6000	mheqtrmhp.exe
6088	mheqtrmhp.exe
6136	mheqtrmhp.exe
4896	mheqtrmhp.exe
1476	mheqtrmhp.exe
6516	mheqtrmhp.exe
6800	mheqtrmhp.exe
1964	mheqtrmhp.exe
7748	mheqtrmhp.exe
8364	mheqtrmhp.exe
8636	mheqtrmhp.exe
8992	mheqtrmhp.exe
9364	mheqtrmhp.exe
9372	mheqtrmhp.exe
9308	mheqtrmhp.exe
8700	mheqtrmhp.exe
9472	mheqtrmhp.exe
9616	mheqtrmhp.exe
9660	mheqtrmhp.exe
11412	mheqtrmhp.exe
11436	mheqtrmhp.exe
11444	mheqtrmhp.exe
11420	mheqtrmhp.exe
11428	mheqtrmhp.exe
11632	mheqtrmhp.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\MHEQTR~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\WUQHIM~1"	mheqtrmhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\35485012 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35485012\\start.vbs"	mheqtrmhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Service = "C:\\Program Files (x86)\\UPNP Service\\upnpsv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2580 set thread context of 4308	2580	mheqtrmhp.exe	104
PID 3592 set thread context of 4504	3592	mheqtrmhp.exe	110
PID 2864 set thread context of 5108	2864	mheqtrmhp.exe	131
PID 216 set thread context of 4864	216	mheqtrmhp.exe	139
PID 2360 set thread context of 5924	2360	mheqtrmhp.exe	396
PID 1320 set thread context of 6076	1320	mheqtrmhp.exe	387
PID 4160 set thread context of 6100	4160	mheqtrmhp.exe	188
PID 4152 set thread context of 6780	4152	mheqtrmhp.exe	225
PID 5432 set thread context of 10980	5432	mheqtrmhp.exe	744

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UPNP Service\upnpsv.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\UPNP Service\upnpsv.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
16356	15548	WerFault.exe	654
1680	6120	WerFault.exe	633
7812	14556	WerFault.exe	587
9060	5300	WerFault.exe	159
11668	9948	WerFault.exe	850
11548	5144	WerFault.exe	848
2384	11024	WerFault.exe	847
3604	15240	WerFault.exe	851
8452	5656	WerFault.exe	853

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mheqtrmhp.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
2580	mheqtrmhp.exe
2580	mheqtrmhp.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4504	RegSvcs.exe
4504	RegSvcs.exe
4504	RegSvcs.exe
4504	RegSvcs.exe
3592	mheqtrmhp.exe
3592	mheqtrmhp.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
2580	mheqtrmhp.exe
2580	mheqtrmhp.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
2580	mheqtrmhp.exe
2580	mheqtrmhp.exe
3592	mheqtrmhp.exe
3592	mheqtrmhp.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
5108	RegSvcs.exe
5108	RegSvcs.exe
5108	RegSvcs.exe
5108	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
2864	mheqtrmhp.exe
2864	mheqtrmhp.exe
4864	RegSvcs.exe
4864	RegSvcs.exe
4864	RegSvcs.exe
4864	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
4308	RegSvcs.exe
216	mheqtrmhp.exe
216	mheqtrmhp.exe
4308	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2528	4236	2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe	92
PID 4236 wrote to memory of 2528	4236	2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe	92
PID 4236 wrote to memory of 2528	4236	2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe	92
PID 2528 wrote to memory of 2580	2528	WScript.exe	93
PID 2528 wrote to memory of 2580	2528	WScript.exe	93
PID 2528 wrote to memory of 2580	2528	WScript.exe	93
PID 2352 wrote to memory of 3592	2352	cmd.exe	96
PID 2352 wrote to memory of 3592	2352	cmd.exe	96
PID 2352 wrote to memory of 3592	2352	cmd.exe	96
PID 1980 wrote to memory of 2864	1980	cmd.exe	103
PID 1980 wrote to memory of 2864	1980	cmd.exe	103
PID 1980 wrote to memory of 2864	1980	cmd.exe	103
PID 2580 wrote to memory of 4308	2580	mheqtrmhp.exe	104
PID 2580 wrote to memory of 4308	2580	mheqtrmhp.exe	104
PID 2580 wrote to memory of 4308	2580	mheqtrmhp.exe	104
PID 2580 wrote to memory of 4308	2580	mheqtrmhp.exe	104
PID 2580 wrote to memory of 4308	2580	mheqtrmhp.exe	104
PID 1808 wrote to memory of 216	1808	cmd.exe	109
PID 1808 wrote to memory of 216	1808	cmd.exe	109
PID 1808 wrote to memory of 216	1808	cmd.exe	109
PID 3592 wrote to memory of 4504	3592	mheqtrmhp.exe	110
PID 3592 wrote to memory of 4504	3592	mheqtrmhp.exe	110
PID 3592 wrote to memory of 4504	3592	mheqtrmhp.exe	110
PID 3592 wrote to memory of 4504	3592	mheqtrmhp.exe	110
PID 3592 wrote to memory of 4504	3592	mheqtrmhp.exe	110
PID 1504 wrote to memory of 1320	1504	cmd.exe	120
PID 1504 wrote to memory of 1320	1504	cmd.exe	120
PID 1504 wrote to memory of 1320	1504	cmd.exe	120
PID 3544 wrote to memory of 2360	3544	cmd.exe	121
PID 3544 wrote to memory of 2360	3544	cmd.exe	121
PID 3544 wrote to memory of 2360	3544	cmd.exe	121
PID 4060 wrote to memory of 4160	4060	cmd.exe	122
PID 4060 wrote to memory of 4160	4060	cmd.exe	122
PID 4060 wrote to memory of 4160	4060	cmd.exe	122
PID 3528 wrote to memory of 4276	3528	cmd.exe	193
PID 3528 wrote to memory of 4276	3528	cmd.exe	193
PID 1888 wrote to memory of 4152	1888	cmd.exe	126
PID 1888 wrote to memory of 4152	1888	cmd.exe	126
PID 1888 wrote to memory of 4152	1888	cmd.exe	126
PID 4276 wrote to memory of 2968	4276	WScript.exe	127
PID 4276 wrote to memory of 2968	4276	WScript.exe	127
PID 2864 wrote to memory of 5108	2864	mheqtrmhp.exe	131
PID 2864 wrote to memory of 5108	2864	mheqtrmhp.exe	131
PID 2864 wrote to memory of 5108	2864	mheqtrmhp.exe	131
PID 2864 wrote to memory of 5108	2864	mheqtrmhp.exe	131
PID 2864 wrote to memory of 5108	2864	mheqtrmhp.exe	131
PID 216 wrote to memory of 4864	216	mheqtrmhp.exe	139
PID 216 wrote to memory of 4864	216	mheqtrmhp.exe	139
PID 216 wrote to memory of 4864	216	mheqtrmhp.exe	139
PID 216 wrote to memory of 4864	216	mheqtrmhp.exe	139
PID 216 wrote to memory of 4864	216	mheqtrmhp.exe	139
PID 2376 wrote to memory of 5220	2376	cmd.exe	808
PID 2376 wrote to memory of 5220	2376	cmd.exe	808
PID 2376 wrote to memory of 5220	2376	cmd.exe	808
PID 4828 wrote to memory of 5324	4828	cmd.exe	161
PID 4828 wrote to memory of 5324	4828	cmd.exe	161
PID 4828 wrote to memory of 5324	4828	cmd.exe	161
PID 2968 wrote to memory of 5300	2968	cmd.exe	159
PID 2968 wrote to memory of 5300	2968	cmd.exe	159
PID 2968 wrote to memory of 5300	2968	cmd.exe	159
PID 3004 wrote to memory of 5404	3004	cmd.exe	163
PID 3004 wrote to memory of 5404	3004	cmd.exe	163
PID 3004 wrote to memory of 5404	3004	cmd.exe	163
PID 4960 wrote to memory of 5432	4960	cmd.exe	165

C:\Users\Admin\AppData\Local\Temp\2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-05_5a42731e84f6264b40a9fc8d5f527a0e_black-basta_luca-stealer_metamorfo.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\ghuwujnoj.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
    "C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe" wuqhimlckphjv
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
      4⤵
      PID:16096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:8300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5108
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:9652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:8604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\UPNP Service\upnpsv.exe
1⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:8248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 1296
        5⤵
        Program crash
        
        PID:9060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6100
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:12536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:460
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:9472
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
        5⤵
        
        PID:8680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:2188
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:5888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:11444
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:11112
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:10700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:12464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:13140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:5072
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:6760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:7840
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:15548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15548 -s 676
        5⤵
        Program crash
        
        PID:16356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:3840
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:15496
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:16380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:4236
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:7004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:7092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6136
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:13440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:8952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:3752
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5228
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:15356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5288
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:8684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:5396
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:7248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5552
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:5652
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:6816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:10084
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:11132
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:8584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5728
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:14556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 14556 -s 964
      4⤵
      Program crash
      PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:5744
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:8520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:10340
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:6156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5776
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:5844
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  - Checks computer location settings
  PID:9568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:12392
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:8884
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5852
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:15508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:9012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:4276
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:11916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:14448
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:11676
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:11632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:11024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11024 -s 960
      4⤵
      Program crash
      PID:2384
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:11772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:2012
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:11388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
- Modifies registry class
PID:6208
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:12120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:14548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6216
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:11012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
PID:6224
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:11392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
- Checks computer location settings
PID:6232
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:12252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6240
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6360
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 972
      4⤵
      Program crash
      PID:11548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:6696
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:13188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:6720
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:13008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6728
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:11724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:15948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:10896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:6848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:13524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:6856
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:13472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6896
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  PID:11428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6904
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6912
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:11436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7028
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:11632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:13004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:10052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7044
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:11732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:11188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7140
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:11412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7148
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:12348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:11740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\run.vbs"
    3⤵
    PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7424
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:15668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7488
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:11420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7656
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7700
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:13028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7708
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:15896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7784
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:14648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:7740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7800
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7888
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:12028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7908
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:14904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:11664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8064
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:4624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:15540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8252
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8420
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8460
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:6120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 544
    3⤵
    - Program crash
    PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8476
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:13296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8556
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8876
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7668
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9292
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:14204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9540
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:12588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:7532
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:14304
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:7216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10180
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:12172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:5380
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:9840
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:8624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10232
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:14040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:14708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9624
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:14428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:11000
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:12412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9520
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10272
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:5448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:12672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10296
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:6648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:12660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10308
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:9264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:9364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10652
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:11776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:9796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10732
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10912
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:13952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10928
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:6304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:10860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10936
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:1888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:13448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11308
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11316
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:3180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:14268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11380
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:10988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:15216
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:13764
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:10536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11404
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11620
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:8588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:12576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11892
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:14636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11908
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:5360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:14368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12156
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:11880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12284
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10976
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7012
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 536
    3⤵
    - Program crash
    PID:8452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12716
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:5472
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:10972
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:13464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13268
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:3360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:15336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13276
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:14884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12304
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:7832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:13588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:6180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:14956
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:13064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:8444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13768
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:10828
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:10452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14000
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14008
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:12424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14052
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:10540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14340
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:15240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 15240 -s 540
    3⤵
    - Program crash
    PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14760
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:5332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:12780
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:12572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:14896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:15320
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:9600
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:14176
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:10436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:15348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:15356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:15444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:16004

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:16160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:16360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15224
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:8564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:9972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:11588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:2964
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:9608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 15548 -ip 15548
1⤵
PID:15980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 14556 -ip 14556
1⤵
PID:16080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:16192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:12976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14392
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:15108
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:13552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:16144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 15280 -ip 15280
1⤵
PID:15920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 6120 -ip 6120
1⤵
PID:16172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6164
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:10604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6764
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:10976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:7864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:6808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:10952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10880
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:4156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15828
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:9864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:5620
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:14328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:9668
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:13036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:16204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:10508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 8864 -ip 8864
1⤵
PID:10980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9488
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:10672
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:4380
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:10832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:8472
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:4896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7588
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:8796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:12044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:15420
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:13572
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:13156
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:12504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:15568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15380
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:6956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:7904
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:7244
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:12164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:15488
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:9948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9948 -s 664
    3⤵
    - Program crash
    PID:11668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:13060
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:13744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:16012
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:5920
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:11596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:12592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:15572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:9264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:10128
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:13484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:7412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:14844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 11720 -ip 11720
1⤵
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs
1⤵
PID:8264
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
  2⤵
  PID:10944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
    3⤵
    PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
      mheqtrmhp.exe "wuqhimlckphjv"
      4⤵
      PID:9152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5300 -ip 5300
1⤵
PID:9444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:7360
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:11432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:16032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:14136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:16260
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:13880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:13212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:9056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
1⤵
PID:9276
- C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
  C:\Users\Admin\AppData\Local\Temp\35485012\MHEQTR~1.EXE C:\Users\Admin\AppData\Local\Temp\35485012\WUQHIM~1
  2⤵
  PID:8892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:7456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 11024 -ip 11024
1⤵
PID:8072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 5656 -ip 5656
1⤵
PID:11208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 15240 -ip 15240
1⤵
PID:11220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 8892 -ip 8892
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5656 -ip 5656
1⤵
PID:1472

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:15040
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:11940
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs"
    3⤵
    PID:2652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd" "
      4⤵
      PID:12716
    - - C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe
        
        mheqtrmhp.exe "wuqhimlckphjv"
        5⤵
        
        PID:13644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        
        PID:14952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:14188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:14520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133882878745208045.txt

Filesize
87KB

MD5
6c64b42b17db61bc569755da43524898

SHA1
b101791c7c1aab599cf2e272fb22886155879e3d

SHA256
fff7dbcb5a6c03dc3a279d82b87e9b27e29abdcc2454b405692b8bda944156b2

SHA512
ba40358551c7fdc6a357dc62cfbe4cafb2b7ce5748bfce3d8f034ac3255bbea8985ed30b0b6ee7bd0c1eb4090a4387cf2512859251bc83ad883dd217408e8028

Download Submit
C:\Users\Admin\AppData\Local\Temp\35485012\ghuwujnoj.vbs

Filesize
42KB

MD5
2967a475a7dc28cbb7ca20f566ae5f35

SHA1
6e9d23b821a38b42ac1dedf82170f964be498c6d

SHA256
a7736b5c1417068d600ac2aa5c92c909704d9b18718514f13267c5f80e9fad59

SHA512
15abc3b732ed51dec8dc7ddae7209c03d66966ec86bf6af39a79728a1f81b787d2ad9f3aa6d0dd00599ed88e7fcae2a1730bd699f9e69ccd8fe26a5a0965f75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\35485012\mheqtrmhp.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\35485012\orfsk.docx

Filesize
467KB

MD5
19d5f28fb886a1f2b891b615c718130f

SHA1
f51b3c16da75b0525b496b9a51167a803d026c3e

SHA256
be31e9ee730e77b9958637e9e74e076924699fadc091dfcb75aed7b624079b9a

SHA512
dfff1b49272520e2a2842bbf7ab4ad6c1268c033421daa1989a898b90e1eb0504195772a01f2a4e11287c3c0d6140481d28e098783a4df466af15aa57a325a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\35485012\start.cmd

Filesize
67B

MD5
9a53aa43a691505435236f34e49a92aa

SHA1
b151538e5e767837d6acc3854c2777dc874f36e6

SHA256
35426c4917bd20296b7d10d7580d7d8422aea565d5a2096970296b15546a4ee5

SHA512
0f1c944e644ced2601bd42a0e4362ee105421746e53c4cdc930266f98eaf5b2596d648aa16b8ec7361637d3f6bbd8b56e5d8d638659665778aa0f6a7c39a9b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\35485012\start.vbs

Filesize
206B

MD5
1f8a43c32e0de67934053bb2c82f8773

SHA1
9ef49775afba8feae50ed307b97c6f252dbd657b

SHA256
b791fe91be568814740e34a67587fdc2929bd1c681f251c95c1ffadca2468a68

SHA512
c0ca5c893cd43b2fdc07b342d6c19ba26a685a91baaad11290243a267def3c93f04453accddd31af3188b5bfd6f023ad9cb7b4b28e33ab8e96068e4e4ad47daa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
64ec777a40f1f58511d1fd1d786cda91

SHA1
ee4c3b5959200aa471f2beb1d068da5eaff88ad7

SHA256
e2e43a1475c9cd003e21102e38713d80318d61b3698cd85170cd759ffbf7aa41

SHA512
d95862c90e7027639315e632bb6070211919aebdd4b730d06d906df04d4d2cab77308b58b71ede110a1a13c8f346b4da8db7e96dd422c669e23bdddc7db8d328

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
77ab383aa523682247823684726ac22e

SHA1
26eadb2ffcd91dde1f56010c69ca16a32de976be

SHA256
ade8fc14e38f2f9c955eeff00ad4b0f66fbda8402fd66473c63836dd196cf9e7

SHA512
ed6276f078995d2f15d5810a96fcf4fda0e77c24d1dd0334d09e4a346936d0638698533173b7963a732f6d419f3f974a31ab4c33e2835884a0da826f305dd2a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
d11e02751ffb0e8d047e65d959b5f04e

SHA1
8c190bddb7d6a097f9424a57e64f71263da3dc97

SHA256
6aaab4ffb8e279bcbb1f72807f5e29b317120deb278585a2cd42cb34b4f851e0

SHA512
60aea747ba2af32c51cece3c629e79cd34cc9f9dcb8b9412ca2c1bccb0914a62c67ab134c9273d199597f4ba3ddf55d02b5ade546b6ae15c8f5df5a20a1811c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
3072350ddf6b4e09449efef11869d9a7

SHA1
a8633df774a46de51367401d1650248073737904

SHA256
baae67640f124bec04cf799c17c0ceb66694bae7034f1c96bf772037bb4d0190

SHA512
c82a2fe1eb313a5e075ad57e2b502352fdef7d1a11005d2059ceb1dd5e9a77dfb2209877378d19aecea7406e74722aab7171cfd93dd977fff8af240fec5bba4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
43abbff332bb37121f2de04ebb8e7166

SHA1
dfbb0b7e454b30f3442824ca370a4a0695972858

SHA256
ef6440b906ca5a7abbedbfe27efc8792be414b6be33b1096f804c18d63c890f2

SHA512
919a9ab3f10e2f93f63211a52670e7aa2a25d1bb5f3ac06b0aa464652aaaf2b79f1c4be564c523e69419c368f4b00b4e3fd987d199217d3de28c0f52ddc9c2c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
dc909e9a598f0c0405c67cc71f8c4cc5

SHA1
e7a949759a7b8d47c2c98e61d4143c6e1cd1ea3f

SHA256
7988a5ab3fe7f4c9810f52de7b51e3cd0b0dc12ffd9f7fccd3c912459ea725ee

SHA512
4e5a2a9607aa04acd3aefc9f7e4970002b3fd9fdea7201274c216808aa6d558186701b904cf6da6c686df2a1956eb43d14aff733643bcaf6c435325a8ef81939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
fc3f808e33b99db45124bf3ab82edfea

SHA1
68b5697fb1edc3336396a1054d09c072e58780ac

SHA256
5b48475b065e18d23453729b51fc18b6cb65418b0b608e0df71b88f39876fb68

SHA512
9d37cd7b240e317e9430f04122d46cc5dc874a96b6ce1a137c7bb4950f65e1135e5995619c8eb871f8425125c197fde13f1c713fc34b6dbd4cd59f43c9885974

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
23354dcd0c04d78677e962720e08d2f6

SHA1
efa49acfec3a8f10729b76ac15c58dfb1db5ce36

SHA256
daaecd0a8b7dc578f2d7ae93bba8dcc15061a1c7b3bb10a8ef9656860d221548

SHA512
5e0af550e615f51657c29849e0801c302726d4aa09795234aee0d0dfb22a111a310be8268d322afc6db85331eeb52c69f74ae145723222ef466bba4125d964a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
dcf04a0f04a2dce2c26a05c83b869d2a

SHA1
e431e1ebc9df235b06a726f046e31b23d9f1a61a

SHA256
e481364e46a3fed9c7590cec2e79c5efe64a953022a87b44d60cf4a49c3d5c71

SHA512
5f0c6d8f8de4a0aed943cdd36e52ac65d5b12893dea52f93a10a8ef5579cca54c8447798715000eabd5f1c04f912a951784911e74bf5228cb0b2779a709949bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
31601c97ed944445fd8a31785c20bf64

SHA1
f3a981e506e47b414d2aaea8abbc08ceab6a946e

SHA256
a5c79f78f2f084386f274763c5c4882e3cf5864b704c20a89311e2d7f92c9f98

SHA512
0e833d7860bfc8de7c332762d34a4d5a8ee2009384f21d8eeff7aa63271c4a721f1ed39629b76947c24d1221a2a1c920e48f62d8fb904d69786e5ed57f294309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
d5e5da7d68bd93b0a09ffefd669174d4

SHA1
37e1270f543cae7de43749aadfef76fb5941c890

SHA256
83c8d84d872671fd7a94c33fcf78dd9616c9885cc26b8b1c35c2eed3c7cd516f

SHA512
7f527f413fa62c2161a430d79a28bf8328138104e51852e04695607efc2f79ce77591e304000284ae6724d6f6f8ba648b6504b80c286c7cf35fd55e0b4363e02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
20f5fc1e6982433dbf2a7ed03c9e03b3

SHA1
c558440e0817df318037a259217dd557ff4896bf

SHA256
ca5d377de12fb00313e7db70cc0874216636a6cc73b0f378f7a91389da6b0f75

SHA512
cab3055350ca064c8322fcaa72488e0359f4943d9e0dc4b1b9f76c0c0530b3f380e99206c66c212b5b689a6f8a3363034d3a40265ec791ef3c2c29cabbc25fa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
782ae744d612b80aa165cba979db039b

SHA1
3f2d8633e3481b45e21844d3f8f628086d4fa213

SHA256
541fd1fe6555c49eaceb1da0bfd45675433e6c62900ad15fa018486f3b3709b9

SHA512
fb51c5659c6c4ff261a679fc78fecc93966ded68cebcc98f7e57d831fbdd61b74c30e7ddcbc405ae093c02f9e3150b417e2d56856d1fd4d5944f5dfd03562348

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
bb03dbcef599c3ceb4a28fc873058e8f

SHA1
fc99efba4838088707ee503834f3593abd090bd4

SHA256
508cc8870e4d1ed5d68a521bb7eda6084df718623e1cada7ea9f415217304a60

SHA512
3242f9e7713b2a6254ba54814298f815de8d6748ec4d0599b37b1522142c649ad9d6aab1e867daa82c0d4e60dadc300984d7e3a95038608587d95b5b036b37e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
b2a6048464d676927a850b5ddc20853a

SHA1
8287b6cd60bd23dbfc5027ea6d7959a094a59ac5

SHA256
c11077dd0741f4327560a33b68e7e0ab5b1ffe6045a1aca1d2ea492d5cce675c

SHA512
03a3ba994f8e7b68f8a93af53f6c4aa2105693478a6cf97a717440635305d1647d75fabdd4380ace09ace97f415c449131a0e5973a546429fef78d73535eab73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
727d08d422d49fdd9ca597ba0d1044e6

SHA1
60855021dde2f6a3c5c174db88488456600b62eb

SHA256
1e740acce52766dc820012b30daffeffb00dd8574d569c2cecc4515d3faa640b

SHA512
1caa858c6e321f475106e998956a95aebe3847d7c44a88269c1af0addf33520e72d86c97348703e19713993ad999c8be2ae3cb3f4a678e4f57bfb7665d0e2149

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
37a757473b3c3adb3cba4f2dc7edf702

SHA1
248d9158eacadfaf0c41fe6297e142a24d615b05

SHA256
6e04162f8703d5def406ba355451f78415952658710bfdb626fb342656778753

SHA512
ac82d550c00e9066a21b9b7c80b8372ff2c183c7dcff58d7ec03914c24f2fa4a7b828199608f09617c8b9a2ea95b8203cea8f693eb2d534a6a30c6c1918efece

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
7e29d395f6f9cd278afff68091e4b443

SHA1
50456a0dccf5fde239c2d3fe15749d725b481788

SHA256
38efcbb60c63b92618ea8d3bc0668fca135956eddf04257ad822912f8306414f

SHA512
8305e37beca7bd5766f66b5423df3264a5d2cd7e14e351526d55beb184503362ecf727f7345b882a1b21b0a45a9fbe3ac3c462f4f1e791bf2d6cc1c80bf2a5b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
236ee24ef72ab7348c85920dcf5fd65e

SHA1
bff68fb23d773e5ddeed486aaa0481d7fe8134df

SHA256
32ed0ba428e206cb52f4bc99f94a53189de02f32f56650e0e0aeebfa675f551e

SHA512
8dfa2355b0f753ec655c43c315cf9b9fa401d10b2af17b6e38c5e1a662ce76f0db94a3af2e6dee8ebad9d3305b9d54f90e04a7c2896eae718031c69c09fe6138

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
cceaf793c1d08edff03292c3e03015d5

SHA1
11328a3a9787587978539ca09cd15af98ba79cf5

SHA256
e5203b884a64bdda947e03957e046dddfd6de25a8bc8197637554786f188678f

SHA512
ea3979da79554d7e6674764719822b593eb21ec5548edf1ecca2a96e741f449d0499d17686409f748af69beeb7aa17292e18125fb691ad91616cead4815772d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
62b78464bc48c556fdfebc36581b857b

SHA1
a0d268fb9503be29affdeb8e3058ac4a1433e6e6

SHA256
a693e65f35855c5aa58b9623baf343c2ca5677d32f0cba618c30ea9cdd18ac58

SHA512
9dcd1ada4e48f2d7f384183e0303cd4c4e0a0898b76d31de0641b5663068b0135582f4c2dd4e193c0c1a03fde573f30b49a3bdcf478e3e965f67e494d474d097

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
5dff4fb8118a1427c99d8c92d4e6496b

SHA1
fda56b9d7653513292e934817a4e8108a2af0990

SHA256
c5d1b66a5ae72c2d5af9ad7b89a1a2df7472c53b1ee358bdf6fd56cc2cde6f37

SHA512
3fae5bf860efeb39c21fe087db809420782e32f0e2927c1cfcf180a6c897b3c06901e787123f2c69e75d6b0ca725f42b9361302732be83bf8ade1f6ff9129f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
d10d87012c2756e1b79555b2fe7c7a49

SHA1
29e28b96860e46142ec6087378cb5a796c11249e

SHA256
e7f4498a6ffa1d6d0c3c35698f0879ace23bcc13e0ec0f98ab25b280e7958b51

SHA512
a1cd8968858de39da3f50a74e5a20dfbca6c6563c49703c6ef366b88e9a87da1a3a4374c8a74a4b2ff746d0467c74f98596e5d994544e627eb3f0800393b6f6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
a1d5c82a2ed1cc55a232b05c4f375f6e

SHA1
a3561ae9c9ca127da6a22cbffe6c40293354f54d

SHA256
c5f509b8623a683028885924dca2bc678fa93f16664218708e2fdc6d0cca99ee

SHA512
1d41d8c45a980f1c0a0170ce2d838a7c1be0dada62a47c0a9b678a8caa13711fdf9ea033b77512c0d5af5503e9dff461c98729d4ca4ed15a0055898952807f6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
238c02117782390b34946598cc4369e7

SHA1
8ad7f80e95531e45bfa5924dd7a86c005ca3439c

SHA256
92817495cd14424606279ade438ac6741bb8695919c20c033856c7571f673ba6

SHA512
38c8329888eda7d3247cc13640b8007489565b8c48d4e7f30b416244834fb1ac8adfd33f273bbb6f6b717564c763189aed00a36b4e6c7e9ba456d419144ab29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
64b619bdf2b23f17ce65dbd49054fc2d

SHA1
f38716cb59b5084e770d40ab030918283f6537a7

SHA256
41b1db6354a541f1aabcc7d63bd4e93d3e3232bb989226ab0aa93969329b26bd

SHA512
91b5a882a2e1662b166b3071f8b4fd847e3e2e5304007a12146d893db9f333a721352805f9f908fb15b82eeccc8d54b911cd927d5b90305997237de9ce9404da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
0acb99ff15abf2412d4363d1056e15ee

SHA1
c2dc8383ac7a2a605bd53cab9bd53cef7181dd7a

SHA256
5144cd83e991db9b6b5a236cd1eb49c0bc0e29f319674a39b26f57bff6a2f501

SHA512
73709b8eb2c870ab390805463f62773e5f9b66307c02e389c9e28fc418f745cc1eca6005bd03f61124c6dbb736f13a95f4cf0098f3b9011bc9254cbfd3d89f77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
7236a4cdbe1583210ce5808d5ef4baa4

SHA1
7adf7b514d58873a43d43776d200574807403199

SHA256
c52d6f474d2b117500bfc98d60fec1762ec8cbb1fd996acc03b02b66ea3db862

SHA512
bf108a9eac5a891af4162059b53875cc54ec72debfc97c5da894ba5b7376624b0c1716fd802ab9f1b1934ca1052f5775cc914fc69a5099077b104b7a5beff8f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
322a9008e62edd8faf1df8499676962e

SHA1
98471f6f649590b463a27720827fb6506d87cd23

SHA256
2abbcfedd22da00c05c884e47192809715ad46bb7665fa0495ba71415db758f6

SHA512
aa7c2683c11502c23e5ee51ce90e3ced391e6193dc74e4c1890887254d934260828b6f3ad23206a98a930aff41a9d04cc5771611025bd1d45fedbe97c1b6995f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
ee34d2b707658a4081e9bcb2627fae64

SHA1
0dd782b8fb349afe3964293520937c4efdd29200

SHA256
b9315464431acbb6336706190b683d0436b741a122a5f506b98d8702019d7812

SHA512
dcddca8c463fcac6fa9f21053b8003823ffac67bfc0b5dd14d67c6c453d6af470c258b017f22af469480ca997d08a23a24739d2d1c379648d13f1fad5a0c0040

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
2bc98d462f28874c2ee5ae530be08419

SHA1
2fc9f56bd416b08c559128e2e073dd3d5a1e94e6

SHA256
1be0416a4194bdb0e78d65ba3eb2b15754b23d365015b44fe1d9c9346761e0b8

SHA512
2d56d7da1816cd8680ab72d73f6df3139ca488e22c2f359338db3f22b2e70950d258175310ea07a8f3396500d356a8ea06c1f130e60ae8b79f26a587b2fb79b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
ae5444bd8e0e1fb75f6fc6a60a06744a

SHA1
5f2af34f1ae1827997e82192fd53fc1901ab4ed3

SHA256
e156cd956278c51c4e0896d14706b99bc1ef405804851a7f56c143d8ca6d2115

SHA512
52b29605065ec93125eba2ba4783a2e326a7b90547f594c477ff43de6201d1a14ae494316033613cad13d3d92f63843286d19beb903a60bd2b546e192bf6ad31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
770ae9f1e92a05ff7affb89aa502ffa7

SHA1
17ba78b8caa56b19c725e7a422394ba51d2eef08

SHA256
9020fe7d7b49c47066dd0b135951aad6010b3e1d47994a62e427a5b039f48a81

SHA512
783fcd4297ba34a47d4d15415d4a3831de650babb27ab3336084df18f444f82c7527789a1590f7160b7f9f587d58aa6a843f696310c132be4eed26faedfcb0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
846cffbf305ea784619158bc66a86513

SHA1
0c4d4b683bc195e450c4deddcef8fa538c50c209

SHA256
e98027edc78dc949da644b1455ce41b3c8bf5be6b67d5911975d2375c0c6a6cd

SHA512
a7c5376d46a5083940a66602fa1935dc2257edf467f0b1317fc3f29aa3d32d2ec1ec68764020276195d89b19160210f10474b186f96abd89d14dc94755943cb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
2a781dfb340ec3d9d1f81ce77976d887

SHA1
fa6604c012a9705cbe7c156279c45f11ebf08ecb

SHA256
0ca52062f0ca01a26742303dde239d7813844f8642ed1d928a262c24d43d8252

SHA512
d3f3721a3f58fd0b8c33dca6516aad8af84671027927cb4d1b0bb9ae6855ce13194bfd2c4f2dc66cc50a8b1117f8a66d9f0d56402c3d67aed75e08e824674874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
adac706daaa5eb18e4100741a122e249

SHA1
f12d0ccedd6bca93fae4c0d01970a8edc83e48cb

SHA256
4c479f0aa0c43a97be5b0a5852fdc9007ff231cac6e5004947c08fb30de8f031

SHA512
da9b6d964e11261d9922c6bbc7324eb92e34bc6f88cf818ab18e4b5a7d7cb26fd5f66a1dfa9195041b763b7b102a9056b8eef774ac135157a704e2b73d468930

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
4cf9727a5729da9597dadedd7ba35ba9

SHA1
5ee0b09c5c2720b49438f0c7ea1e71c5be5cbff6

SHA256
de7f3f2d7534cf6ee5324b55f0b2f23602183d3854c3ce76fe7191589352b58d

SHA512
3602ae9b8d9cbdd83612fe483e2511ed8c22fdb67fd4854036c9b5e40c79e436b7d50aa58e906ceb12a99e07670ca22c9cb705f2eb686d9c8928e783f2d89325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
20d681848c47bdfbd93478f5e5c2f2f3

SHA1
bef108e6ca2d4631d0473c7e33b5395f0534fd71

SHA256
6bc5ffd796beae31abeb324e944ea7c6ad4360f3903dbf703369f9f0d109b9f1

SHA512
bdb9fa5a04137a5a3fb8a2a0403be662a5680528a151c8351c0d04301bf44649cf0a92d1f37b28649770c773773bf0bcb253da63f1c67a71783f142c147a56a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
2c05a942870e434a51a6b936d72a655d

SHA1
ce0bcfc69ed545baa871175a61cc74a29df433eb

SHA256
7983ac1efd16d6f3150ca754ef0876524eec2a9134f5605dac79d34c4d550172

SHA512
e7a3e22396e7f5a0672e0cd987417a955d732df60a030d1ba84cbf7e0c85850b236a700c78ac4ce4edab5ac39f166209eedeb620b9c7bfe1a3f4b0bcee0078e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
2cb4f8d4cca0288b173a79a910b5d47c

SHA1
3239b13751d4f43eea38732fdff793ba34f5fbb3

SHA256
ad402a87bac6614bd2bdbf483c4fe91ea8d94e2222ca696ff6a3b44fb1a2ed48

SHA512
8d52cffc6df435659c53956b6c2084ff2bee5103c3a3c4947f6edaff1a2cd70f79df6fd6a273c93b0ce514561e68abe4a54d70b11e01f9339f84381d26304585

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
fbd051e1d8922298842c2ffa8c5a9056

SHA1
efb28dd0946795910d1ab934c7a7a8f8cacdd3d5

SHA256
e3ad01a578933724b32783fb4b7c11debcebbaa0115a4bca8877ff9224e95285

SHA512
41693f725890d901aaa3799a4fc61417c5ed76c9e1129dfdfd2faf9443bae2b24f49d0845c40ec5f0efcd1e2216c06ca0ddca6255d86b92dc7253b6ab67e1f81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
c75eaa95eb256bee3c3ff378a5095723

SHA1
e70b5967e91f2f3f9fd207b4337958c861612141

SHA256
579dcd7a29d00ab427feebcb26d7e290b1921a61564e11016a892431fd86b591

SHA512
459f1e89f1ce1151f806399927c93ab9c4f36dc8162b0ba090b0006b8ec9be11d1ceb47d626b1a5568c6c281a4a52986fd020f52a59ac365baa8f45d5da4849c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
fc58d2fa6410a250e51fdb63319df697

SHA1
90a9801bc971995ff00c9244b125da9e858e20c3

SHA256
3ac82902a4b3762ac803df3eeb2ca595d3f3d8d81c0d8704324e96c78630707c

SHA512
ce1eba6d840fea5364938976333380116ac3d9589f5eb6d476bbafc682b371b19a1937eacbffa2a8f14e58237110f9a9a841cdbc25eead5cdd50a74f972bcb76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
62ad2a996b652b8c290b8066c385929c

SHA1
30c84b0accbbd49566d91786cb665765319a43c5

SHA256
2d1d362a558702d7e901d801ac3bbfc13e88459a24ff92ad573d2f7f471c40f6

SHA512
85c1a662a19d92e9e2789dd1495d93d122762b5253020bd50b8f5404a788ee336192bc8bd04dd69f2cfb0378866c3a0d3fc887973a2bd884dca52244eef1a9c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
bfd7169cf290ab08d8f700bb678a2266

SHA1
c43e146ad0fe2b6e4225dd7b37e319ac9d7bc9a3

SHA256
5c56cbdd51844ef3b4d6792915f0b4b8752126625de85bf3fdfe4ddf712bc079

SHA512
b636dfd45180aaac1bcd85848ead93bd376c376906a0826caf22f2b2edfeea240e947df0b20f27d09ce12dde418c9cb319ec320df70a430624c2a40c75c26d71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
b1240ba9b3e9bfe212b3196a580f34a7

SHA1
456784a6066ea0fe7b6d0f64beed5d61b9c9a5d2

SHA256
45b4987222e84e89258e65fd94b7ad749e81a8b7d986b825636b39b3a4ab9a28

SHA512
d15d1e8d7f8c020ca085d8f2eea578407770f2f16bdf4d787839a4d77e7be6fd202fc816d11d674dfeaeef0f1e148d593827009a803b96c77dd471a060e5ee9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
a8171a92bd97a13c7344c35b0afbac85

SHA1
fe760e4e71f9c28e6b1a50e95040722f9f60d047

SHA256
f0df6a0555dd56af69dfc88f97ccd8c3c6e121b0fff9a32629a369b5a2d1986e

SHA512
e6df1ea2d4e86dc3d8ad4591b7bf9485a0f53f40f071eb87089cc2d1decc53d50bd076e1893fcc4349345cf5f4e4224bd78710647bca2adcdcaf949e64cfdb34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
f859657ae2ba803cfb4b848c45321820

SHA1
d29cf29b5d884f95714cc7e767cdc85224c9c5df

SHA256
81f71cff8ce09bb2b6e702df22c8817ad57a58509c5ac67463f000451e993547

SHA512
2ce8f997caeb61a516efdcc833f533aecfd9c4bb1a84f9218ad204bcfe6b4952450e51e42ad3ed88afbe0aaf1385f4ec1c3b063ea88d641d27ab4416b4cf3a00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
05e3b9f78cf3cd8c0df2b50100fa7923

SHA1
f6c2103b109ea12fd5a92cd4ea868756776b5e57

SHA256
a6004d6dfa0ebb1e570a77b64745e1a4b595da3b73b3a6c2a70a0d30deb6f0f3

SHA512
913e447b592d2bcf7cc1b75b4f37dc8b13675bce1a29dbb1533ee24a000c6a490657c05b6d3ce5ee2cc9cc1d0d4d558a90b40f4328bf50b27802728b34cf7315

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
4263faefe0a82d2c43d1717d7ea622d3

SHA1
74896f27e0b971a268db4d2439f50ef448205e0f

SHA256
142d6e04681330936fd98ad70982e95da83a427bf6b0a01b51cd42412b62efb0

SHA512
eef2be01a6f4a53c7f49edbd64455f35116efb56b8c3d298c83811e90ac7a00819d948b97373ceb08b9e0802fb50b2181f04bf9b9440a81380157e2cd4ccb776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
18338f027d6e7ed7b473bb92452b0cce

SHA1
d1dd97dec7ab705ee79fcff76a34065e3196b0b8

SHA256
82726a1923e367753557c0a5acde7e21d2ed6a9f9d51042eb6dd9584e631e5c6

SHA512
2e9dec646b52ec27368e8a8765249d5f89a74c3f9a137aa2b2b670616e148d53381d08022e1bdb32dcf89da641e30ce477f021ab608c740fb3e0f13008ab3ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
d2a8b8251d68785f46a3f5f39a5d418c

SHA1
073f664c92dc045e5206abe4b244c6c5820c0f62

SHA256
685de2c1e7c33d91f5a179dc22836726d2708370e1f5271adec05d5db5baf607

SHA512
f7a6778083f2bb228e4e87287f7c6d85cbb771014063ccca36f14deea803ffa52113e8be9585a554ba168f93e05d9bc58e74996baf2e76afdd6b2053a0a3dd3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
f11e7887d5dd5fedce8d39a9d1ed3312

SHA1
1fec601175dd055c73d157cf4e34d0d3fa6269c4

SHA256
ac44cef8a6fb1c68cd47a4291a655add86c931e51cb019679b89eb043914d994

SHA512
d00ea5dd3da21c46e39ed97c612aee1e85fd7a54bd9ce8e222ac8e75977b119860e1a139d6b9006b28d9e7a7ceedbe58044b7b448445979c5b3812dca2dd0534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
0d53c808bb0b33b424dfda75ac7f72bb

SHA1
be1e96b378c835a7791682f0b08a60779f4facc5

SHA256
5ec3e7763529368e6e3be2db007af086f2718d5990d880c1c3e0d8c75ae185a9

SHA512
716bf5c71352d077cd2c36c2c01a04c9b576e9b283d682791d4c2a3761523a619c3e8ee9cd57de2eec5402be7cc516b3f672a46eb372d8bac1e1a05f1b7eac8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
4ae9a93da48beaee1c41b6e901e78a92

SHA1
9ea6b00431f7b89e1d0cf602cab52f32710f3efb

SHA256
fab8ec182ed018e5f585cdde3015d2d6905559241d83f704c4c9b03d574fc0fb

SHA512
577badb8c5ac909125ebe33a921b03dc03ad214d322626ec49d40fb13f28d7f272db765940eebf99d1b659ce41dead70d7f08331fb7d14fe4d0cb195cd6beba6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
0f8a3dd8be7bf753f275ea57faa884d8

SHA1
a44e38d68f45eb66a952563ea7fbfcb615523d2a

SHA256
2b87369e0f5dd902009096a63476ab5ae9a827a7df3bf42c1c758f622ade304c

SHA512
bdafd44e246ecd7f3c81d8dbcc62cc5cf191b8b81716f7c522e052537e68f2ab010404dc8379baf8c28ffa6578d000f50f17bc4bf1f2ee8e9415cbf44e2ffa13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
3c33caed6f8e38b0d213a0111b8b23d9

SHA1
9f6977cd9c4df1db87df25d241c99e4383cf3b6c

SHA256
fdb8e1338cb88b46cd6850b54077312c84180a71ee641ffe8066f80be25087ca

SHA512
d349badce500252fd660268f642fba403abe8f0e4b17e118a6c3fc3b51c4cc440e0c29ff4b38200eceb3eeb7be7de49fde9700663e0218d3eb8473e98b017652

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
565038e1e00bb3ce63c8519d1a5f8c32

SHA1
f4d84d00f5283b45583258134b9baf300b000b48

SHA256
3b53c2831a9441a29c4e86ffb501f8428618c7ed6f85ef15b636a6a56ef63809

SHA512
6036508e19d2adf9d6f2f888710999c9b2082e15ccfacecaad4f03805558bab9d89c25bfece44d53e55c885873e37848224e4f61a8cbdc34cb9c3f7adae20662

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
8e278f995863d79f25a5896ac86e1364

SHA1
e528748f0c14e44ed2e23bab6e6bf90ea5af7f25

SHA256
2dbef986252f2ccb6632b9aaeb663f191d16cf24c7dbcf3d1a76b0fdf0e5baf8

SHA512
ee293a2bf950ef9a257159efd166ef3fef61c80a9688347ea3c12ad893f59f5eeaa66890015e0743a9a7ebced8a55cbe38afa542673f3c6b09dc61988922a4dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
18949838bd1bba641c103297df2d8564

SHA1
8c1754468a620e0bccb501e8f104fb20f3fc8011

SHA256
d7c05b464d48a1c8f51c1701e90f7246d175c09f162fe1b5fd58ebc900213f61

SHA512
dca62ce8bb480016043e4f3c9c7e03570e16937388a651a0ecb994e6c8206c46a8243324f1fd37bad25ce78667793f7555c5c62af385e226381e2935e9893a6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
e1e6a917c18d0cd65a75e50806dd09fd

SHA1
44aa5a6c3fe9a91d02368f12fde6130b61a4194d

SHA256
d531440633c86be1e4f64bfa3037840848e15a862bd699faf5313ec9bf653030

SHA512
227b04dc133972cd8102290a6fe0766c75f0844983b755fae670c18d0120351a32dee5826ca0f2d72f6fd5f254e28888b5b1be2308550b57c9e225e0c5f1e2cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
5dafb26c6988586ed0befb6f054a028b

SHA1
0590d1b00029739d0dbc07a1d43b78cc188bc4b2

SHA256
e7338ebff02522228ddf8bd77d57c580c0d55a966e346c74bd08159dcc28f4a5

SHA512
931e30060ea3ca46717309b8100d980df35c4acf9e9fde83a85e8db9b1fb607f5a1450905ffed23226d796cb2d0b0c03b4a0fc76a7ab31b962c0ccf18f928e2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
420b5895fe07b3f08cc7435b457c2445

SHA1
513fbb463ccf24b817216f6ba75de40ae84c9aad

SHA256
834659a40c2bffbfe28e2d1a2b2f759a8ac9c58185f41d1ff16f2fccd260b026

SHA512
bc71c0414f785854f8ad054d7d5e6acdee7a3d58470af334d098965b0ba1de811f1ff995f30a51dea15cee611b80890b486ebbbf26772ba044e46642ca61b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
d2a7b31fdc01d2f13b17bdcb106b4d9d

SHA1
dd46fe9862a216c2b484076b65484ebd040f3db3

SHA256
3ab2a54dfdcff6615b9be8370e0873e4c47566885095867e3c198c0c081a9b98

SHA512
cac6b67e1347844648bf1790299ae4f6755a5e31d57505aa8adb6c8d562120eb5b5a83a4244155823fe03438349014b241c6acca8459eead2348fb18582e8c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
896B

MD5
e25762140d0ce9227377b539fe41ed7c

SHA1
6618ea51d008f087f3630a3dca7ff0e6a9489719

SHA256
f542579e90003059b9dea60df6bef2fa3733063d9b996c4ef286a8c635ca2281

SHA512
252959b7770627b50b49d9b67c7fe1ed3c3ae2a69857e3e4fc00c14ac38d5b9114e8652dbdf13eea11f2cdb65cfd93de68104b05f73dcb46d1fe60b4d5c93253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
11eefb73b21a749ce7f3575b1276b320

SHA1
25db8b6bb583a8bfb65dcc06e224b2ebdaa03538

SHA256
539b56df4b763ed5cc5984518a8dc922c6e59dabb27c6312db6e3b06d43d0827

SHA512
e1db569222320760a41ba47b2415d0d3c9e89185ba72da889ad6eb3bb4b3ebe53281373b7476e0abbd1e68edbd1677d0e34e4f588d347c73ba8e76ea8b73643b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
f374573100f363b9afc5b5c11ccdaad2

SHA1
71d1c2c7ac3c555bbaad5e5cfeb49fe34d4bfba6

SHA256
e72802c78b62f6e985572f1d5da2e7461f2d0335ccc048f13bf15489b192aa71

SHA512
edcbcc119196c462ee765b42afe28370f8771341ce191ada4a4b919bd20638ffee2ab9c490704c7379e9d91b478c84680d26de3903befd933f04e9e23df9fd14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
7609dc88f3e0fb265ce25232aeb08f4a

SHA1
98c2cfc534cef6b8f2bffa8c8466d5778c091ae1

SHA256
81735e2ae57c7fd3db11488d50ce04cb00d8328e6a095ebecb1bd97c729472db

SHA512
158016fbcc6fcf4281002784880726bbac70baafcac41fb16633e64ded2462f139d132bb56b78689838430e1e73423d35679ddf544bf7e6171be4200969fe471

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
129d0d7b48aa543c7150e977b430148d

SHA1
9582aa5c1dd869e38207d09cf6dd7a9e5891e209

SHA256
8b130cf51aaabebd467b79a3b234af7bae8b0aafead18401f1720076f787915c

SHA512
adab4d08e05a570463a4694a4f23c6ca2d371a389d355ff29bf2a936b3be7219359ac1a7e2ca0d37b64d9b5c0321aa5b5556026051c8174109dba111afe44536

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
cf21d31e5a5c54db00f834682d079a0f

SHA1
b4a1442f61b5a7ec99e96ad29c9ecc3863d3eb31

SHA256
186132282abbfb215b95435d436aa75a06a7c1a88a21d3ea969cdd595e77c1b9

SHA512
c8d9eff162d6a616f3e642bb220a04c3e6c24ef43f7a9b3cb3b5a7fa3b621d11fc055d7fa7434207f1ae5e4963718ddb96d63635267604461e886157b03e3696

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
c18c930692741164d45c4aa6ee53b0da

SHA1
628564c8a80d4b9a0d1eb2ecd4567c34cbc7c301

SHA256
7223f76c31774690b549220294248d69696cb55df8f4621f82028de016dbceb8

SHA512
4f73eb15deb25c3928d300f272bd9224b6816cce973dccca4ca6d55235c55840636a214e735eeb271a6fc036c8b373fbd26f79372037f875316cdaa14a839d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
93d1e6a71408e8905a3d80e26c18d3e6

SHA1
af851d7c5079d102d2c73954947c2c195c33d709

SHA256
533e438436d772287df974bb324b480212185d3423ab18b163b055897723be39

SHA512
4a15766cc7027c6d7a4d0ba0016c8944565ff772c4d0f4879aadd2f60c4bfc6b84817ee5699574a908546c48b96bdd3ae1249d15377530485de64943e2cca807

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
012a431039b54e71062bfaf8e837e656

SHA1
bd42a9923ead7687f857ed608928f8a3081102e8

SHA256
a70a1b8768e7597b10fd4d1dcec84ba0b35a067e045b6fa55d18483f56891cbe

SHA512
365d2349401f151b19e79df9969242320324df2f689c99fca9502e805558599a56b40ba64d8143f215a665a62d3a7f9ad061e686725a9010522ee22ae989af05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
a9764c8152f5e8c3c49602165837ab7e

SHA1
f8c1fe33f77a25a10c0b69472b1a58b64bde1106

SHA256
28d49c81e2fbe261bf50999533d79d36054b6da1156c804fb8b3e39bec795033

SHA512
0bc303b2f7ed83613c4262d28604a09baf1bddcc5aa3860abd53491646acefeebe22a7c4f3f77aedc7a6ce19cd8613505586932904588383cb231c2b860adf90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
e5756f56511fb7874e18ca75f28312f1

SHA1
b24256b9e475eba21d1018cf3685d67729168313

SHA256
6843aad3780aec81527b937b0a5e8a70df2e8da82bd5612f4ddd3034ef14efd8

SHA512
71244e50a82c6285c91de50897746813a336695086b045fd1e3ff984e2797f4b5207dcb5755d55125ec5c04f3f443ddcb25a2f2d31a9e267b50c7e1807a03219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
3108ee0c9546b1930bf3b80f666cf16a

SHA1
2906b7199cbaf5dd39cad205c860e7b3824dfe5d

SHA256
db664b3f29e0eb5b297287e575bf7c9e4b2e93a7c0e76d181d6bf600adf77f69

SHA512
6e2514353f2f81b5b3e38f5d6c272efccd00a08c6f0653328df169e008b99b94e7c73711118fc1126177e87e67f5e9d7f5db5654664404549ae48aa5f39cad47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
1595e4fc9d978dcf72c516c5eb7795f2

SHA1
1c1acd18c34b19b0ef121d7d8173989ba6dd1bd6

SHA256
3fcddc5d6b2816b93dca3337158eba9cc590f0e308b53c5aa23a42a9eb989431

SHA512
5ba036a01dc724140c27b05be46770bdf477a001327cc4ce91a73c27bc4b5f398a6f1713da6a9715a6a3bd27023d08521f31dcc3464902d46b5e3fd34237321c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
bef0a44e139d8b46cbd3e411917454dc

SHA1
4061b198e1f68d1f2023c3cbbed15f17af304a31

SHA256
5f0f06cc915aaa79b14d2336b35d07f07cd455872c4aa60625eff92061a3e45e

SHA512
4686f27c86334b9444c1a639a9c102f8c86fe1c04b27b16ad54bdc9cfc1a2b70f6517439cda9df49ea43ad6998cd6b67ed69f5fa7f309821f479fce6b2e66179

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
badeb3505017829e4d0cf0a2e4176328

SHA1
23b1923d351f9171a68022cf232281b58ddb79d2

SHA256
9b0b012465dcaaeda8941455b4e6acda776b13faf65e9c05b3068037c9416503

SHA512
ccf851bc0038bc39fa341ec79a56811a85efa39160dd9061f806cc22507e230da0d1a3734955ee4ec2571aa654c2ec48d86cec599fb882788da75cfb6638b542

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
bc3c16c064a2285ba2906374e3737863

SHA1
b1093f9f1d201d4b7f8509246748004ddd4b3f34

SHA256
d5c3bb8cd42d053391f098a08f14af27d764f7756b267664d35ce2f490057c63

SHA512
2b6187091d41db2076377cb2be5c95688c78ad2ec182a4989a56d37969ae5c2ff2dacfe41fd90ac60ae4599845dc7ef30f52f933e274f834082a8ca2fad1eed3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
bafecc2fe78761f5384a32c7e1f29fe1

SHA1
32cfc2470044ee32c323807ec709463b882a534f

SHA256
c980947ad81646ac8583942804969722ee384e023fd90afc94f1d859c0c4f78b

SHA512
847dd2523ad18577724038a19181ceafb68275860761421c4794c5129c5b7847a94de072ab83faaf63de3bffb423fb796d2ebfed37b945389e82ea97dedfa2e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
19cfe5f1ea9d8d5fcfa283f2de4c25f1

SHA1
7998a6f12a6a0340a5fe1e56ee7a1140401fb75b

SHA256
47f738a4aa26fac7d418eaeb7fc95021f38ae3e08c7546d6553cab331c6be7c1

SHA512
3129dd1c890940cead9a9af7750c594ad5c74e8cc358d7537f228b4fcbadfc4490209fb988c3a9e792d85e22c1fae7ee20f3bbeabad7a7afbb2733db81fe1753

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
f96f18719fe6192b47dff43c840e9932

SHA1
aba24ed0613baa59f71ef06c6da1f0cb85e6c7f3

SHA256
6928cb44dbc42fe542701c014fd1c6efc29738f53bf89751f95653396873002b

SHA512
5deb7be86e541e87d4810c4e98ef2bf90954322cf15818c05fcca98e415451631b3737b60c4cd32f9b72eb9e81251270ef1bb7783d486eb924f1033cef7ac369

Download Submit
memory/1976-421-0x0000000001300000-0x00000000018EF000-memory.dmp

Filesize
5.9MB

Download
memory/1976-957-0x0000000001380000-0x00000000013B8000-memory.dmp

Filesize
224KB

Download
memory/2180-367-0x00007FF7630B0000-0x00007FF763117000-memory.dmp

Filesize
412KB

Download
memory/3544-388-0x00007FF7630B0000-0x00007FF763117000-memory.dmp

Filesize
412KB

Download
memory/3648-686-0x0000000000770000-0x0000000000C6E000-memory.dmp

Filesize
5.0MB

Download
memory/4236-404-0x0000000000A00000-0x0000000000A38000-memory.dmp

Filesize
224KB

Download
memory/4236-398-0x0000000000A00000-0x00000000010F8000-memory.dmp

Filesize
7.0MB

Download
memory/4308-137-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/4308-142-0x0000000005E40000-0x0000000005E4A000-memory.dmp

Filesize
40KB

Download
memory/4308-140-0x0000000005BA0000-0x0000000005BAA000-memory.dmp

Filesize
40KB

Download
memory/4308-141-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/4308-136-0x0000000005C60000-0x0000000005CFC000-memory.dmp

Filesize
624KB

Download
memory/4308-135-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/4308-134-0x0000000006170000-0x0000000006714000-memory.dmp

Filesize
5.6MB

Download
memory/4308-133-0x0000000000F00000-0x0000000000F38000-memory.dmp

Filesize
224KB

Download
memory/4308-132-0x0000000000F00000-0x00000000014F2000-memory.dmp

Filesize
5.9MB

Download
memory/4504-145-0x0000000001310000-0x0000000001348000-memory.dmp

Filesize
224KB

Download
memory/4504-144-0x0000000001310000-0x0000000001957000-memory.dmp

Filesize
6.3MB

Download
memory/4864-162-0x00000000007A0000-0x0000000000E74000-memory.dmp

Filesize
6.8MB

Download
memory/4864-163-0x00000000007A0000-0x00000000007D8000-memory.dmp

Filesize
224KB

Download
memory/5108-160-0x0000000000800000-0x0000000000D98000-memory.dmp

Filesize
5.6MB

Download
memory/5108-161-0x0000000000800000-0x0000000000838000-memory.dmp

Filesize
224KB

Download
memory/5144-371-0x0000000000D40000-0x000000000126C000-memory.dmp

Filesize
5.2MB

Download
memory/5144-374-0x0000000000D40000-0x0000000000D78000-memory.dmp

Filesize
224KB

Download
memory/5216-637-0x0000000000D00000-0x00000000011D3000-memory.dmp

Filesize
4.8MB

Download
memory/5292-623-0x0000000000500000-0x0000000000A9C000-memory.dmp

Filesize
5.6MB

Download
memory/5292-628-0x0000000000500000-0x0000000000538000-memory.dmp

Filesize
224KB

Download
memory/5924-182-0x0000000000900000-0x0000000000ECE000-memory.dmp

Filesize
5.8MB

Download
memory/5924-185-0x0000000000900000-0x0000000000938000-memory.dmp

Filesize
224KB

Download
memory/5976-734-0x0000000001200000-0x0000000001238000-memory.dmp

Filesize
224KB

Download
memory/5976-730-0x0000000001200000-0x00000000017DB000-memory.dmp

Filesize
5.9MB

Download
memory/6076-188-0x0000000000820000-0x0000000000D61000-memory.dmp

Filesize
5.3MB

Download
memory/6076-189-0x0000000000820000-0x0000000000858000-memory.dmp

Filesize
224KB

Download
memory/6100-192-0x0000000000400000-0x0000000000941000-memory.dmp

Filesize
5.3MB

Download
memory/6100-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6240-632-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/6704-685-0x0000000000D30000-0x0000000000D68000-memory.dmp

Filesize
224KB

Download
memory/6704-679-0x0000000000D30000-0x0000000001200000-memory.dmp

Filesize
4.8MB

Download
memory/6780-210-0x0000000000E20000-0x000000000138D000-memory.dmp

Filesize
5.4MB

Download
memory/6780-216-0x0000000000E20000-0x0000000000E58000-memory.dmp

Filesize
224KB

Download
memory/6804-369-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/7216-692-0x0000000000900000-0x0000000000DFE000-memory.dmp

Filesize
5.0MB

Download
memory/7412-765-0x0000000000400000-0x0000000000A27000-memory.dmp

Filesize
6.2MB

Download
memory/7456-731-0x0000000000960000-0x0000000000998000-memory.dmp

Filesize
224KB

Download
memory/7456-720-0x0000000000960000-0x0000000000E51000-memory.dmp

Filesize
4.9MB

Download
memory/7740-409-0x0000000000A10000-0x0000000000A48000-memory.dmp

Filesize
224KB

Download
memory/7740-400-0x0000000000A10000-0x0000000000F1C000-memory.dmp

Filesize
5.0MB

Download
memory/7864-741-0x0000000000F80000-0x0000000000FB8000-memory.dmp

Filesize
224KB

Download
memory/7864-733-0x0000000000F80000-0x000000000155B000-memory.dmp

Filesize
5.9MB

Download
memory/8172-767-0x0000000000770000-0x0000000000D73000-memory.dmp

Filesize
6.0MB

Download
memory/8336-343-0x0000000000520000-0x0000000000A38000-memory.dmp

Filesize
5.1MB

Download
memory/8336-346-0x0000000000520000-0x0000000000558000-memory.dmp

Filesize
224KB

Download
memory/8444-860-0x0000000001100000-0x000000000170A000-memory.dmp

Filesize
6.0MB

Download
memory/8584-423-0x0000000000E30000-0x00000000012FE000-memory.dmp

Filesize
4.8MB

Download
memory/8584-431-0x0000000000E30000-0x0000000000E68000-memory.dmp

Filesize
224KB

Download
memory/8624-856-0x0000000001100000-0x0000000001138000-memory.dmp

Filesize
224KB

Download
memory/8624-849-0x0000000001100000-0x00000000017C4000-memory.dmp

Filesize
6.8MB

Download
memory/8864-345-0x0000000001300000-0x0000000001818000-memory.dmp

Filesize
5.1MB

Download
memory/8864-347-0x0000000001300000-0x0000000001338000-memory.dmp

Filesize
224KB

Download
memory/8892-375-0x0000000000770000-0x0000000000C9C000-memory.dmp

Filesize
5.2MB

Download
memory/9012-379-0x0000000000740000-0x0000000000778000-memory.dmp

Filesize
224KB

Download
memory/9012-376-0x0000000000740000-0x0000000000C6C000-memory.dmp

Filesize
5.2MB

Download
memory/9364-570-0x0000000000B00000-0x0000000001222000-memory.dmp

Filesize
7.1MB

Download
memory/9796-490-0x0000000001000000-0x0000000001547000-memory.dmp

Filesize
5.3MB

Download
memory/9796-495-0x0000000001000000-0x0000000001038000-memory.dmp

Filesize
224KB

Download
memory/10436-903-0x0000000000B20000-0x0000000000B58000-memory.dmp

Filesize
224KB

Download
memory/10452-787-0x0000000000560000-0x0000000000A22000-memory.dmp

Filesize
4.8MB

Download
memory/10452-794-0x0000000000560000-0x0000000000598000-memory.dmp

Filesize
224KB

Download
memory/10508-673-0x0000000000D00000-0x00000000011D0000-memory.dmp

Filesize
4.8MB

Download
memory/10536-902-0x0000000000990000-0x00000000009C8000-memory.dmp

Filesize
224KB

Download
memory/10980-276-0x0000000001110000-0x000000000183C000-memory.dmp

Filesize
7.2MB

Download
memory/10980-279-0x0000000001110000-0x0000000001148000-memory.dmp

Filesize
224KB

Download
memory/11012-393-0x0000000001030000-0x0000000001068000-memory.dmp

Filesize
224KB

Download
memory/11012-392-0x0000000001030000-0x00000000016D7000-memory.dmp

Filesize
6.7MB

Download
memory/11024-370-0x00000000011A0000-0x000000000175D000-memory.dmp

Filesize
5.7MB

Download
memory/11024-373-0x00000000011A0000-0x00000000011D8000-memory.dmp

Filesize
224KB

Download
memory/11188-410-0x0000000000C20000-0x0000000000C58000-memory.dmp

Filesize
224KB

Download
memory/11188-403-0x0000000000C20000-0x000000000112C000-memory.dmp

Filesize
5.0MB

Download
memory/11632-594-0x0000000000A00000-0x00000000010A3000-memory.dmp

Filesize
6.6MB

Download
memory/11880-555-0x0000000000B00000-0x0000000000B38000-memory.dmp

Filesize
224KB

Download
memory/11880-552-0x0000000000B00000-0x000000000124F000-memory.dmp

Filesize
7.3MB

Download
memory/12044-614-0x0000000000F20000-0x00000000014BC000-memory.dmp

Filesize
5.6MB

Download
memory/12044-621-0x0000000000F20000-0x0000000000F58000-memory.dmp

Filesize
224KB

Download
memory/12412-901-0x0000000001340000-0x0000000001378000-memory.dmp

Filesize
224KB

Download
memory/12412-897-0x0000000001340000-0x0000000001915000-memory.dmp

Filesize
5.8MB

Download
memory/12504-898-0x0000000000900000-0x0000000000ED5000-memory.dmp

Filesize
5.8MB

Download
memory/12572-884-0x0000000000C00000-0x0000000000C38000-memory.dmp

Filesize
224KB

Download
memory/12572-869-0x0000000000C00000-0x000000000120A000-memory.dmp

Filesize
6.0MB

Download
memory/12576-489-0x0000000000900000-0x0000000001032000-memory.dmp

Filesize
7.2MB

Download
memory/12660-598-0x0000000000810000-0x0000000000EB3000-memory.dmp

Filesize
6.6MB

Download
memory/12660-602-0x0000000000810000-0x0000000000848000-memory.dmp

Filesize
224KB

Download
memory/12672-523-0x0000000000D20000-0x0000000000D58000-memory.dmp

Filesize
224KB

Download
memory/12672-519-0x0000000000D20000-0x000000000131E000-memory.dmp

Filesize
6.0MB

Download
memory/13036-895-0x00000000007A0000-0x0000000000D75000-memory.dmp

Filesize
5.8MB

Download
memory/13140-298-0x0000000001140000-0x00000000017AF000-memory.dmp

Filesize
6.4MB

Download
memory/13140-302-0x0000000001140000-0x0000000001178000-memory.dmp

Filesize
224KB

Download
memory/13440-308-0x0000000000910000-0x0000000000948000-memory.dmp

Filesize
224KB

Download
memory/13440-306-0x0000000000910000-0x0000000000F9F000-memory.dmp

Filesize
6.6MB

Download
memory/13448-548-0x0000000000910000-0x000000000105F000-memory.dmp

Filesize
7.3MB

Download
memory/13464-828-0x0000000001110000-0x00000000017D4000-memory.dmp

Filesize
6.8MB

Download
memory/13588-603-0x00000000009A0000-0x0000000001043000-memory.dmp

Filesize
6.6MB

Download
memory/13588-605-0x00000000009A0000-0x00000000009D8000-memory.dmp

Filesize
224KB

Download
memory/14268-501-0x0000000000F00000-0x0000000001619000-memory.dmp

Filesize
7.1MB

Download
memory/14368-542-0x0000000000700000-0x0000000000738000-memory.dmp

Filesize
224KB

Download
memory/14368-541-0x0000000000700000-0x0000000000BF0000-memory.dmp

Filesize
4.9MB

Download
memory/14556-318-0x0000000000D00000-0x0000000000D38000-memory.dmp

Filesize
224KB

Download
memory/14556-314-0x0000000000D00000-0x00000000013C4000-memory.dmp

Filesize
6.8MB

Download
memory/14708-509-0x0000000001360000-0x000000000195E000-memory.dmp

Filesize
6.0MB

Download
memory/14708-513-0x0000000001360000-0x0000000001398000-memory.dmp

Filesize
224KB

Download
memory/14952-1321-0x0000000000B50000-0x0000000000B88000-memory.dmp

Filesize
224KB

Download
memory/15336-576-0x0000000000F00000-0x0000000001459000-memory.dmp

Filesize
5.3MB

Download
memory/15540-396-0x0000000000620000-0x0000000000658000-memory.dmp

Filesize
224KB

Download
memory/15540-394-0x0000000000620000-0x0000000000C82000-memory.dmp

Filesize
6.4MB

Download
memory/16032-693-0x0000000000E00000-0x00000000012FE000-memory.dmp

Filesize
5.0MB

Download
memory/16032-696-0x0000000000E00000-0x0000000000E38000-memory.dmp

Filesize
224KB

Download
memory/16144-812-0x00000000013C0000-0x0000000001ABC000-memory.dmp

Filesize
7.0MB

Download
memory/16144-819-0x00000000013C0000-0x00000000013F8000-memory.dmp

Filesize
224KB

Download