redline | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (23).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

redline supertraff evasion infostealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

supertraff

135.148.139.222:1494

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral31/memory/2844-176-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral31/memory/1228-187-0x00000000003A0000-0x00000000003BC000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
1868	nCnNtht2A4WOLrrSVkHhmyRC.exe
428	MxbRPfobz6sIBWA9JDdJD3u5.exe
1736	4j_XcEcNv6yyjYITGHdKmbIS.exe
240	dUI0UBK8lJEi3VRCWX0iRaxZ.exe
1932	5FZ8Ae7JaqT1jQoL7ZxlZZqZ.exe
2012	tsgTP3yDqtCYD16JFpgHexeR.exe
1988	hcfH16raVvox89wMZtA3xzLD.exe
1280	3Ttn8fgw8_hlASszxVNipcdP.exe
2044	ttk_T_P1ZzNBtIy1fT3TQ9pD.exe
964	LPWfxkIZRkv53Vqvm9YZD3lZ.exe
1344	Uo0I9FlSQHNposQ9bRXsMaKV.exe
1536	HhP6FrPHgKJOe7CgYcImqGHi.exe
300	FZx7E89ziCU4ImVJSyqvMqr3.exe
1600	wbBQm8_Upwwu7YM5mYgJh2Ec.exe
1228	EamziklM5mDURv9MKB9_04H9.exe
672	50zF5PKTPo8sTzGbJh2ktdl7.exe
2016	74TicK7KH3BtXxa9_IMZqCKL.exe
336	sDSzTjtznv8VNcz8G7YQwkbx.exe
2124	OOTh7DO3Gm_rXcqsQTeYj68m.exe
2160	RNZ0ykBCSJrG9CKyGG1Ln5qK.exe
2088	qJXN4KzBHqN5RkQrm7cXg9_S.exe
2072	RPtiUz_hTA4tG7lEkk_uyZrd.exe
2200	4oqjfzZnFkTSd6T4hfM7h8I_.exe
2108	Fk5SarZ1j7UcrqIycN2IrgZZ.exe
2176	kTOgpBKJUeBIDsSFvJTvRVrO.exe
2532	MxbRPfobz6sIBWA9JDdJD3u5.exe
2836	4j_XcEcNv6yyjYITGHdKmbIS.exe
2872	4j_XcEcNv6yyjYITGHdKmbIS.exe
2956	4j_XcEcNv6yyjYITGHdKmbIS.exe
2988	4j_XcEcNv6yyjYITGHdKmbIS.exe
3024	4j_XcEcNv6yyjYITGHdKmbIS.exe
3036	4j_XcEcNv6yyjYITGHdKmbIS.exe
3060	4j_XcEcNv6yyjYITGHdKmbIS.exe
3068	4j_XcEcNv6yyjYITGHdKmbIS.exe
1784	4j_XcEcNv6yyjYITGHdKmbIS.exe
284	4j_XcEcNv6yyjYITGHdKmbIS.exe
1572	4j_XcEcNv6yyjYITGHdKmbIS.exe
2036	4j_XcEcNv6yyjYITGHdKmbIS.exe
1664	4j_XcEcNv6yyjYITGHdKmbIS.exe
920	4j_XcEcNv6yyjYITGHdKmbIS.exe
2068	4j_XcEcNv6yyjYITGHdKmbIS.exe
1804	4j_XcEcNv6yyjYITGHdKmbIS.exe
864	4j_XcEcNv6yyjYITGHdKmbIS.exe
2224	4j_XcEcNv6yyjYITGHdKmbIS.exe
684	4j_XcEcNv6yyjYITGHdKmbIS.exe
1400	4j_XcEcNv6yyjYITGHdKmbIS.exe
2288	4j_XcEcNv6yyjYITGHdKmbIS.exe
2080	4j_XcEcNv6yyjYITGHdKmbIS.exe
2284	4j_XcEcNv6yyjYITGHdKmbIS.exe
2468	4j_XcEcNv6yyjYITGHdKmbIS.exe
2308	4j_XcEcNv6yyjYITGHdKmbIS.exe
2592	4j_XcEcNv6yyjYITGHdKmbIS.exe
1484	934.exe
2632	4j_XcEcNv6yyjYITGHdKmbIS.exe
432	4j_XcEcNv6yyjYITGHdKmbIS.exe
2748	4j_XcEcNv6yyjYITGHdKmbIS.exe
268	4j_XcEcNv6yyjYITGHdKmbIS.exe
1064	4j_XcEcNv6yyjYITGHdKmbIS.exe
1056	4j_XcEcNv6yyjYITGHdKmbIS.exe
2824	4j_XcEcNv6yyjYITGHdKmbIS.exe
1280	4j_XcEcNv6yyjYITGHdKmbIS.exe
1580	4j_XcEcNv6yyjYITGHdKmbIS.exe
828	d_R07Bqj0y1PZCXcHb6lx3_n.exe
2728	4j_XcEcNv6yyjYITGHdKmbIS.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (23).exe

Loads dropped DLL 40 IoCs

pid	Process
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
1648	Setup (23).exe
2016	74TicK7KH3BtXxa9_IMZqCKL.exe
2016	74TicK7KH3BtXxa9_IMZqCKL.exe
2016	74TicK7KH3BtXxa9_IMZqCKL.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral31/files/0x0003000000013197-122.dat	themida
behavioral31/files/0x000300000001317a-86.dat	themida
behavioral31/files/0x0003000000013197-146.dat	themida
behavioral31/files/0x000300000001317a-133.dat	themida
behavioral31/files/0x000300000001317f-115.dat	themida
behavioral31/files/0x000300000001317f-152.dat	themida

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipinfo.io
150	ipinfo.io
151	ipinfo.io
20	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 428 set thread context of 2532	428	MxbRPfobz6sIBWA9JDdJD3u5.exe	66
PID 2176 set thread context of 2844	2176	kTOgpBKJUeBIDsSFvJTvRVrO.exe	68

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	50zF5PKTPo8sTzGbJh2ktdl7.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	50zF5PKTPo8sTzGbJh2ktdl7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MxbRPfobz6sIBWA9JDdJD3u5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hcfH16raVvox89wMZtA3xzLD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hcfH16raVvox89wMZtA3xzLD.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hcfH16raVvox89wMZtA3xzLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MxbRPfobz6sIBWA9JDdJD3u5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MxbRPfobz6sIBWA9JDdJD3u5.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2972	schtasks.exe
2920	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1396	timeout.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	50zF5PKTPo8sTzGbJh2ktdl7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (23).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (23).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (23).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (23).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (23).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	50zF5PKTPo8sTzGbJh2ktdl7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	Setup (23).exe
2532	MxbRPfobz6sIBWA9JDdJD3u5.exe
2532	MxbRPfobz6sIBWA9JDdJD3u5.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2532	MxbRPfobz6sIBWA9JDdJD3u5.exe
1988	hcfH16raVvox89wMZtA3xzLD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1484	934.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 428	1648	Setup (23).exe	32
PID 1648 wrote to memory of 428	1648	Setup (23).exe	32
PID 1648 wrote to memory of 428	1648	Setup (23).exe	32
PID 1648 wrote to memory of 428	1648	Setup (23).exe	32
PID 1648 wrote to memory of 240	1648	Setup (23).exe	33
PID 1648 wrote to memory of 240	1648	Setup (23).exe	33
PID 1648 wrote to memory of 240	1648	Setup (23).exe	33
PID 1648 wrote to memory of 240	1648	Setup (23).exe	33
PID 1648 wrote to memory of 1736	1648	Setup (23).exe	50
PID 1648 wrote to memory of 1736	1648	Setup (23).exe	50
PID 1648 wrote to memory of 1736	1648	Setup (23).exe	50
PID 1648 wrote to memory of 1736	1648	Setup (23).exe	50
PID 1648 wrote to memory of 1932	1648	Setup (23).exe	49
PID 1648 wrote to memory of 1932	1648	Setup (23).exe	49
PID 1648 wrote to memory of 1932	1648	Setup (23).exe	49
PID 1648 wrote to memory of 1932	1648	Setup (23).exe	49
PID 1648 wrote to memory of 2012	1648	Setup (23).exe	47
PID 1648 wrote to memory of 2012	1648	Setup (23).exe	47
PID 1648 wrote to memory of 2012	1648	Setup (23).exe	47
PID 1648 wrote to memory of 2012	1648	Setup (23).exe	47
PID 1648 wrote to memory of 1280	1648	Setup (23).exe	45
PID 1648 wrote to memory of 1280	1648	Setup (23).exe	45
PID 1648 wrote to memory of 1280	1648	Setup (23).exe	45
PID 1648 wrote to memory of 1280	1648	Setup (23).exe	45
PID 1648 wrote to memory of 1988	1648	Setup (23).exe	44
PID 1648 wrote to memory of 1988	1648	Setup (23).exe	44
PID 1648 wrote to memory of 1988	1648	Setup (23).exe	44
PID 1648 wrote to memory of 1988	1648	Setup (23).exe	44
PID 1648 wrote to memory of 964	1648	Setup (23).exe	43
PID 1648 wrote to memory of 964	1648	Setup (23).exe	43
PID 1648 wrote to memory of 964	1648	Setup (23).exe	43
PID 1648 wrote to memory of 964	1648	Setup (23).exe	43
PID 1648 wrote to memory of 2044	1648	Setup (23).exe	42
PID 1648 wrote to memory of 2044	1648	Setup (23).exe	42
PID 1648 wrote to memory of 2044	1648	Setup (23).exe	42
PID 1648 wrote to memory of 2044	1648	Setup (23).exe	42
PID 1648 wrote to memory of 2044	1648	Setup (23).exe	42
PID 1648 wrote to memory of 2044	1648	Setup (23).exe	42
PID 1648 wrote to memory of 2044	1648	Setup (23).exe	42
PID 1648 wrote to memory of 1344	1648	Setup (23).exe	41
PID 1648 wrote to memory of 1344	1648	Setup (23).exe	41
PID 1648 wrote to memory of 1344	1648	Setup (23).exe	41
PID 1648 wrote to memory of 1344	1648	Setup (23).exe	41
PID 1648 wrote to memory of 1344	1648	Setup (23).exe	41
PID 1648 wrote to memory of 1344	1648	Setup (23).exe	41
PID 1648 wrote to memory of 1344	1648	Setup (23).exe	41
PID 1648 wrote to memory of 300	1648	Setup (23).exe	40
PID 1648 wrote to memory of 300	1648	Setup (23).exe	40
PID 1648 wrote to memory of 300	1648	Setup (23).exe	40
PID 1648 wrote to memory of 300	1648	Setup (23).exe	40
PID 1648 wrote to memory of 1536	1648	Setup (23).exe	39
PID 1648 wrote to memory of 1536	1648	Setup (23).exe	39
PID 1648 wrote to memory of 1536	1648	Setup (23).exe	39
PID 1648 wrote to memory of 1536	1648	Setup (23).exe	39
PID 1648 wrote to memory of 672	1648	Setup (23).exe	37
PID 1648 wrote to memory of 672	1648	Setup (23).exe	37
PID 1648 wrote to memory of 672	1648	Setup (23).exe	37
PID 1648 wrote to memory of 672	1648	Setup (23).exe	37
PID 1648 wrote to memory of 2016	1648	Setup (23).exe	46
PID 1648 wrote to memory of 2016	1648	Setup (23).exe	46
PID 1648 wrote to memory of 2016	1648	Setup (23).exe	46
PID 1648 wrote to memory of 2016	1648	Setup (23).exe	46
PID 1648 wrote to memory of 336	1648	Setup (23).exe	36
PID 1648 wrote to memory of 336	1648	Setup (23).exe	36

C:\Users\Admin\AppData\Local\Temp\Setup (23).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (23).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\Documents\nCnNtht2A4WOLrrSVkHhmyRC.exe
  "C:\Users\Admin\Documents\nCnNtht2A4WOLrrSVkHhmyRC.exe"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Users\Admin\Documents\MxbRPfobz6sIBWA9JDdJD3u5.exe
  "C:\Users\Admin\Documents\MxbRPfobz6sIBWA9JDdJD3u5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:428
- - C:\Users\Admin\Documents\MxbRPfobz6sIBWA9JDdJD3u5.exe
    "C:\Users\Admin\Documents\MxbRPfobz6sIBWA9JDdJD3u5.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2532
- C:\Users\Admin\Documents\dUI0UBK8lJEi3VRCWX0iRaxZ.exe
  "C:\Users\Admin\Documents\dUI0UBK8lJEi3VRCWX0iRaxZ.exe"
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Users\Admin\Documents\EamziklM5mDURv9MKB9_04H9.exe
  "C:\Users\Admin\Documents\EamziklM5mDURv9MKB9_04H9.exe"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Users\Admin\Documents\wbBQm8_Upwwu7YM5mYgJh2Ec.exe
  "C:\Users\Admin\Documents\wbBQm8_Upwwu7YM5mYgJh2Ec.exe"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Users\Admin\Documents\sDSzTjtznv8VNcz8G7YQwkbx.exe
  "C:\Users\Admin\Documents\sDSzTjtznv8VNcz8G7YQwkbx.exe"
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Users\Admin\Documents\50zF5PKTPo8sTzGbJh2ktdl7.exe
  "C:\Users\Admin\Documents\50zF5PKTPo8sTzGbJh2ktdl7.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies system certificate store
  PID:672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2972
- C:\Users\Admin\Documents\d_R07Bqj0y1PZCXcHb6lx3_n.exe
  "C:\Users\Admin\Documents\d_R07Bqj0y1PZCXcHb6lx3_n.exe"
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Users\Admin\Documents\HhP6FrPHgKJOe7CgYcImqGHi.exe
  "C:\Users\Admin\Documents\HhP6FrPHgKJOe7CgYcImqGHi.exe"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Users\Admin\Documents\FZx7E89ziCU4ImVJSyqvMqr3.exe
  "C:\Users\Admin\Documents\FZx7E89ziCU4ImVJSyqvMqr3.exe"
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Users\Admin\Documents\Uo0I9FlSQHNposQ9bRXsMaKV.exe
  "C:\Users\Admin\Documents\Uo0I9FlSQHNposQ9bRXsMaKV.exe"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Users\Admin\Documents\ttk_T_P1ZzNBtIy1fT3TQ9pD.exe
  "C:\Users\Admin\Documents\ttk_T_P1ZzNBtIy1fT3TQ9pD.exe"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Users\Admin\Documents\LPWfxkIZRkv53Vqvm9YZD3lZ.exe
  "C:\Users\Admin\Documents\LPWfxkIZRkv53Vqvm9YZD3lZ.exe"
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Users\Admin\Documents\hcfH16raVvox89wMZtA3xzLD.exe
  "C:\Users\Admin\Documents\hcfH16raVvox89wMZtA3xzLD.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1988
- C:\Users\Admin\Documents\3Ttn8fgw8_hlASszxVNipcdP.exe
  "C:\Users\Admin\Documents\3Ttn8fgw8_hlASszxVNipcdP.exe"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Users\Admin\Documents\74TicK7KH3BtXxa9_IMZqCKL.exe
  "C:\Users\Admin\Documents\74TicK7KH3BtXxa9_IMZqCKL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"
    3⤵
    PID:2328
- C:\Users\Admin\Documents\tsgTP3yDqtCYD16JFpgHexeR.exe
  "C:\Users\Admin\Documents\tsgTP3yDqtCYD16JFpgHexeR.exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\Documents\5FZ8Ae7JaqT1jQoL7ZxlZZqZ.exe
  "C:\Users\Admin\Documents\5FZ8Ae7JaqT1jQoL7ZxlZZqZ.exe"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
  "C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe"
  2⤵
  - Executes dropped EXE
  PID:1736
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2872
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:3024
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2988
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1784
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:284
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2068
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1804
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:684
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2224
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2288
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2080
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:432
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2748
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:268
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1064
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1056
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1280
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:1580
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2784
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3052
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:724
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2060
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1304
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1608
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1240
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3032
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1768
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2248
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1360
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2632
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2772
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1996
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1476
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:540
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2988
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3036
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2816
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2716
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1788
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2932
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:988
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1152
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2732
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3088
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3132
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3196
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3228
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3264
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3324
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3632
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3668
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3700
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3760
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3832
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3876
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3892
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3928
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3948
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3972
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3996
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4032
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4064
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3200
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3204
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3672
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3684
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:912
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3000
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2828
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4036
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3272
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1868
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3320
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3808
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3992
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4128
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4140
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4036
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4216
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4228
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4264
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4280
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4304
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4344
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4372
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4392
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4404
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4432
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4360
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4468
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4484
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4512
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4556
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4592
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4548
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4644
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4672
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4692
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4708
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4744
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4788
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4824
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4888
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4872
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4920
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4944
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4980
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5000
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5020
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5048
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5096
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5072
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:912
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2920
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4164
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3772
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2908
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1984
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3876
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3312
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3576
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3532
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3548
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3608
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3448
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4332
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3596
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3536
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3472
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4212
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4608
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4676
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4368
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4516
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4804
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4464
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4588
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5024
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3288
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:748
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4808
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1240
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3788
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3064
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4844
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3720
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3184
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5116
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4168
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3272
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3380
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4228
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1628
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:860
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4516
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4356
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4440
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4316
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4664
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:1392
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4740
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4116
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4224
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:188
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3116
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4784
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4964
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3876
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3420
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5008
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4076
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4968
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4784
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3584
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4248
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3236
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3160
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3136
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4432
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4204
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3512
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4728
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5168
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5208
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5220
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5240
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5248
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5284
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5344
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5360
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5312
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5184
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5452
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5460
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5484
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5524
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5552
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5580
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5624
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5644
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5668
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5740
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5776
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5876
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5844
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5952
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5712
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5432
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6036
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3488
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3440
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6096
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3604
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5556
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5256
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5548
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5308
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3160
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4820
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3556
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5040
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4772
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4352
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5060
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4120
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3384
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3368
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3304
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:2208
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3228
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5616
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3940
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:3936
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6308
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6340
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6364
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6388
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6568
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6688
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6744
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6864
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4812
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6292
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5236
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7160
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5752
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7088
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5984
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7028
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7104
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6844
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4376
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:4160
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6888
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5664
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7008
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6512
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7256
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7336
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7448
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7584
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7892
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7948
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5820
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:6204
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:8152
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5480
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7764
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:5904
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:8104
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7116
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7892
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:7668
- - C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    C:\Users\Admin\Documents\4j_XcEcNv6yyjYITGHdKmbIS.exe
    3⤵
    PID:8212
- C:\Users\Admin\Documents\4oqjfzZnFkTSd6T4hfM7h8I_.exe
  "C:\Users\Admin\Documents\4oqjfzZnFkTSd6T4hfM7h8I_.exe"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Users\Admin\Documents\kTOgpBKJUeBIDsSFvJTvRVrO.exe
  "C:\Users\Admin\Documents\kTOgpBKJUeBIDsSFvJTvRVrO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2176
- - C:\Users\Admin\Documents\kTOgpBKJUeBIDsSFvJTvRVrO.exe
    C:\Users\Admin\Documents\kTOgpBKJUeBIDsSFvJTvRVrO.exe
    3⤵
    PID:2844
- C:\Users\Admin\Documents\RNZ0ykBCSJrG9CKyGG1Ln5qK.exe
  "C:\Users\Admin\Documents\RNZ0ykBCSJrG9CKyGG1Ln5qK.exe"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Users\Admin\Documents\7ILirgwQylPgIXUKR3B7q55z.exe
  "C:\Users\Admin\Documents\7ILirgwQylPgIXUKR3B7q55z.exe"
  2⤵
  PID:2140
- C:\Users\Admin\Documents\OOTh7DO3Gm_rXcqsQTeYj68m.exe
  "C:\Users\Admin\Documents\OOTh7DO3Gm_rXcqsQTeYj68m.exe"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Users\Admin\Documents\Fk5SarZ1j7UcrqIycN2IrgZZ.exe
  "C:\Users\Admin\Documents\Fk5SarZ1j7UcrqIycN2IrgZZ.exe"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Users\Admin\Documents\qJXN4KzBHqN5RkQrm7cXg9_S.exe
  "C:\Users\Admin\Documents\qJXN4KzBHqN5RkQrm7cXg9_S.exe"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Users\Admin\Documents\RPtiUz_hTA4tG7lEkk_uyZrd.exe
  "C:\Users\Admin\Documents\RPtiUz_hTA4tG7lEkk_uyZrd.exe"
  2⤵
  - Executes dropped EXE
  PID:2072

C:\Users\Admin\AppData\Local\Temp\934.exe
C:\Users\Admin\AppData\Local\Temp\934.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Users\Admin\AppData\Local\Temp\A6CB.exe
C:\Users\Admin\AppData\Local\Temp\A6CB.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\FD16.exe
C:\Users\Admin\AppData\Local\Temp\FD16.exe
1⤵
PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dgzvkjuz\
  2⤵
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lfoylotf.exe" C:\Windows\SysWOW64\dgzvkjuz\
  2⤵
  PID:3988

C:\Users\Admin\AppData\Local\Temp\2668.exe
C:\Users\Admin\AppData\Local\Temp\2668.exe
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\4D69.exe
C:\Users\Admin\AppData\Local\Temp\4D69.exe
1⤵
PID:1792
- C:\Users\Admin\AppData\Local\Temp\4D69.exe
  C:\Users\Admin\AppData\Local\Temp\4D69.exe
  2⤵
  PID:3028

C:\Users\Admin\AppData\Local\Temp\6972.exe
C:\Users\Admin\AppData\Local\Temp\6972.exe
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\7239.exe
C:\Users\Admin\AppData\Local\Temp\7239.exe
1⤵
PID:860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7239.exe" & exit
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1396

C:\Users\Admin\AppData\Local\Temp\7A94.exe
C:\Users\Admin\AppData\Local\Temp\7A94.exe
1⤵
PID:2636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\A405.exe
C:\Users\Admin\AppData\Local\Temp\A405.exe
1⤵
PID:3656

C:\Windows\system32\taskeng.exe
taskeng.exe {95BCC471-0FB7-487F-97CB-BD608B452CBF} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:5084
- C:\Users\Admin\AppData\Roaming\ftbawwj
  C:\Users\Admin\AppData\Roaming\ftbawwj
  2⤵
  PID:1548
- C:\Users\Admin\AppData\Roaming\jbbawwj
  C:\Users\Admin\AppData\Roaming\jbbawwj
  2⤵
  PID:4364
- - C:\Users\Admin\AppData\Roaming\jbbawwj
    C:\Users\Admin\AppData\Roaming\jbbawwj
    3⤵
    PID:1984

C:\Windows\system32\taskeng.exe
taskeng.exe {A70EB515-E2E6-4391-B40F-1C8E944AED89} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:6436
- C:\Users\Admin\AppData\Roaming\jbbawwj
  C:\Users\Admin\AppData\Roaming\jbbawwj
  2⤵
  PID:6928
- - C:\Users\Admin\AppData\Roaming\jbbawwj
    C:\Users\Admin\AppData\Roaming\jbbawwj
    3⤵
    PID:7812
- C:\Users\Admin\AppData\Roaming\ftbawwj
  C:\Users\Admin\AppData\Roaming\ftbawwj
  2⤵
  PID:6948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-166-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/428-160-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/828-212-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/964-167-0x00000000003D0000-0x00000000003E9000-memory.dmp

Filesize
100KB

Download
memory/964-156-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1228-187-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/1280-155-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1344-161-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1648-61-0x0000000003D20000-0x0000000003E5F000-memory.dmp

Filesize
1.2MB

Download
memory/1648-60-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1932-163-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2072-158-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/2176-173-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/2532-164-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2836-175-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2844-176-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download