asyncrat | 9750eede207cae12bfce4c50dd1aac7edf9a54bd5f5b64d4ff8bad5d0b8394de

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

747.exe
Size

7KB
MD5

d7378a262909fac70f5aa9f41a0811bf
SHA1

26f608d7c3d1a71057ca90e912359fa0c4358cd9
SHA256

9750eede207cae12bfce4c50dd1aac7edf9a54bd5f5b64d4ff8bad5d0b8394de
SHA512

d495eedb7de852296034a669393f054ec79397dedb45048e7a0880bbe7021a9ef0d1825f18dfe67d8d2b8dc52c453cd5d2bfe0086fc9da42270fbbc5959170ba
SSDEEP

96:X5T40gK4WFddriIe08H7yjSN+PlQ29zuGnGAOD1V6TuiO9zNt:1gK4WTn8by6IyYzJGxhVYub3

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

goooooooool.com:1337

Mutex

sd2sadsdawqdanchun

Attributes

delay
1
install
true
install_file
shellhost.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x003a000000016de2-156.dat	family_asyncrat

Blocklisted process makes network request 10 IoCs

flow	pid	Process
26	2592	747.exe
27	600	747.exe
29	1672	747.exe
31	1924	747.exe
33	1576	747.exe
34	3000	747.exe
40	2148	747.exe
41	624	747.exe
48	1528	747.exe
50	2456	747.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
972	powershell.exe
3948	powershell.exe
1564	powershell.exe
552	powershell.exe
3168	Process not Found
1528	powershell.exe
1056	Process not Found
5124	Process not Found
3484	powershell.exe
3904	powershell.exe
3644	powershell.exe
3112	powershell.exe
7696	Process not Found
1800	Process not Found
9620	Process not Found
6884	Process not Found
2504	powershell.exe
2588	powershell.exe
2760	powershell.exe
884	Process not Found
1668	powershell.exe
1652	powershell.exe
1244	powershell.exe
4048	Process not Found
3956	powershell.exe
4056	powershell.exe
3244	Process not Found
1868	powershell.exe
1804	Process not Found
2880	Process not Found
2884	powershell.exe
2872	powershell.exe
3508	Process not Found
2828	powershell.exe
1308	powershell.exe
4672	Process not Found
568	powershell.exe
2932	powershell.exe
2676	powershell.exe
5048	Process not Found
3168	powershell.exe
1924	powershell.exe
2200	powershell.exe
10380	Process not Found
1744	powershell.exe
2036	powershell.exe
2660	powershell.exe
1648	powershell.exe
1300	powershell.exe
2412	powershell.exe
1992	powershell.exe
2700	Process not Found
3352	powershell.exe
920	powershell.exe
3540	Process not Found
2264	Process not Found
2364	Process not Found
1028	powershell.exe
1972	powershell.exe
2972	Process not Found
6604	Process not Found
2316	powershell.exe
344	powershell.exe
780	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

pid	Process
3876	jwo3uvqg.t2d.exe
4056	qi1he4ss.v0e.exe
2844	yjjvfrq3.kc3.exe
4084	gwynp01f.pqy.exe
2688	djypbdy2.aev.exe
2392	tftpwp3k.dik.exe
3372	p03n21uj.a2n.exe
1556	4ccmmfk5.kzk.exe
3460	0cwn4jsb.ikn.exe
3660	qgudgtdf.smn.exe
3796	sgeymxi2.rgg.exe
2012	t5j1a2ew.1sy.exe
1640	qbuwib1g.q2j.exe
3312	52tixhym.3re.exe
4020	iwcdajxf.ldj.exe
3480	qof3u1dd.fvq.exe
4040	lyeym3pn.a5u.exe
3900	l1hz1wyd.f5q.exe
3892	ntspou0y.0hc.exe
1800	4v4oed1n.rgt.exe
3760	oi3bjlmn.o5d.exe
2424	5m0gaqkm.nxm.exe
4008	ukxgfzxe.ndz.exe
2760	24jsgtwo.jdq.exe
1072	ma3cf5b5.3tm.exe

Loads dropped DLL 25 IoCs

pid	Process
1744	747.exe
2496	747.exe
2808	747.exe
1672	747.exe
2592	747.exe
600	747.exe
780	747.exe
2276	747.exe
1924	747.exe
1576	747.exe
3000	747.exe
2280	747.exe
2148	747.exe
624	747.exe
2900	747.exe
2876	747.exe
292	747.exe
2448	747.exe
2200	747.exe
1528	747.exe
2340	747.exe
2756	747.exe
1508	747.exe
1536	747.exe
2456	747.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2456	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1924	schtasks.exe
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2816	powershell.exe
2024	powershell.exe
2896	powershell.exe
1760	powershell.exe
2600	powershell.exe
2956	powershell.exe
972	powershell.exe
1656	powershell.exe
2284	powershell.exe
2440	powershell.exe
3044	powershell.exe
2844	powershell.exe
1752	powershell.exe
1312	powershell.exe
2580	powershell.exe
1716	powershell.exe
2316	powershell.exe
2024	powershell.exe
568	powershell.exe
2336	powershell.exe
2164	powershell.exe
1512	powershell.exe
344	powershell.exe
1772	powershell.exe
2124	powershell.exe
716	powershell.exe
3168	powershell.exe
3308	powershell.exe
3520	powershell.exe
3708	powershell.exe
3904	powershell.exe
3176	powershell.exe
1744	powershell.exe
3524	powershell.exe
2336	powershell.exe
2812	powershell.exe
2076	powershell.exe
3476	powershell.exe
3052	powershell.exe
3196	powershell.exe
2740	powershell.exe
3040	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	747.exe
Token: SeDebugPrivilege	2808	747.exe
Token: SeDebugPrivilege	2592	747.exe
Token: SeDebugPrivilege	1672	747.exe
Token: SeDebugPrivilege	1744	747.exe
Token: SeDebugPrivilege	600	747.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1924	747.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2496	747.exe
Token: SeDebugPrivilege	780	747.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2280	747.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1576	747.exe
Token: SeDebugPrivilege	3000	747.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2148	747.exe
Token: SeDebugPrivilege	624	747.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2900	747.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2340	747.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2876	747.exe
Token: SeDebugPrivilege	292	747.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2448	747.exe
Token: SeDebugPrivilege	2200	747.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1528	747.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2756	747.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1536	747.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2456	747.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	1508	747.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1740	747.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2284	747.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	3200	747.exe
Token: SeDebugPrivilege	3320	747.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3536	747.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	3732	747.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3928	747.exe
Token: SeDebugPrivilege	3688	747.exe
Token: SeDebugPrivilege	3904	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2952	2276	747.exe	30
PID 2276 wrote to memory of 2952	2276	747.exe	30
PID 2276 wrote to memory of 2952	2276	747.exe	30
PID 2276 wrote to memory of 2952	2276	747.exe	30
PID 2276 wrote to memory of 2816	2276	747.exe	32
PID 2276 wrote to memory of 2816	2276	747.exe	32
PID 2276 wrote to memory of 2816	2276	747.exe	32
PID 2276 wrote to memory of 2816	2276	747.exe	32
PID 2952 wrote to memory of 2808	2952	cmd.exe	34
PID 2952 wrote to memory of 2808	2952	cmd.exe	34
PID 2952 wrote to memory of 2808	2952	cmd.exe	34
PID 2952 wrote to memory of 2808	2952	cmd.exe	34
PID 2808 wrote to memory of 2840	2808	747.exe	35
PID 2808 wrote to memory of 2840	2808	747.exe	35
PID 2808 wrote to memory of 2840	2808	747.exe	35
PID 2808 wrote to memory of 2840	2808	747.exe	35
PID 2808 wrote to memory of 1760	2808	747.exe	37
PID 2808 wrote to memory of 1760	2808	747.exe	37
PID 2808 wrote to memory of 1760	2808	747.exe	37
PID 2808 wrote to memory of 1760	2808	747.exe	37
PID 2840 wrote to memory of 2592	2840	cmd.exe	38
PID 2840 wrote to memory of 2592	2840	cmd.exe	38
PID 2840 wrote to memory of 2592	2840	cmd.exe	38
PID 2840 wrote to memory of 2592	2840	cmd.exe	38
PID 2592 wrote to memory of 292	2592	747.exe	40
PID 2592 wrote to memory of 292	2592	747.exe	40
PID 2592 wrote to memory of 292	2592	747.exe	40
PID 2592 wrote to memory of 292	2592	747.exe	40
PID 292 wrote to memory of 1672	292	cmd.exe	42
PID 292 wrote to memory of 1672	292	cmd.exe	42
PID 292 wrote to memory of 1672	292	cmd.exe	42
PID 292 wrote to memory of 1672	292	cmd.exe	42
PID 2592 wrote to memory of 2896	2592	747.exe	43
PID 2592 wrote to memory of 2896	2592	747.exe	43
PID 2592 wrote to memory of 2896	2592	747.exe	43
PID 2592 wrote to memory of 2896	2592	747.exe	43
PID 1672 wrote to memory of 2112	1672	747.exe	45
PID 1672 wrote to memory of 2112	1672	747.exe	45
PID 1672 wrote to memory of 2112	1672	747.exe	45
PID 1672 wrote to memory of 2112	1672	747.exe	45
PID 1672 wrote to memory of 2024	1672	747.exe	47
PID 1672 wrote to memory of 2024	1672	747.exe	47
PID 1672 wrote to memory of 2024	1672	747.exe	47
PID 1672 wrote to memory of 2024	1672	747.exe	47
PID 2112 wrote to memory of 1744	2112	cmd.exe	48
PID 2112 wrote to memory of 1744	2112	cmd.exe	48
PID 2112 wrote to memory of 1744	2112	cmd.exe	48
PID 2112 wrote to memory of 1744	2112	cmd.exe	48
PID 1744 wrote to memory of 1540	1744	747.exe	50
PID 1744 wrote to memory of 1540	1744	747.exe	50
PID 1744 wrote to memory of 1540	1744	747.exe	50
PID 1744 wrote to memory of 1540	1744	747.exe	50
PID 1744 wrote to memory of 2600	1744	747.exe	52
PID 1744 wrote to memory of 2600	1744	747.exe	52
PID 1744 wrote to memory of 2600	1744	747.exe	52
PID 1744 wrote to memory of 2600	1744	747.exe	52
PID 1540 wrote to memory of 600	1540	cmd.exe	54
PID 1540 wrote to memory of 600	1540	cmd.exe	54
PID 1540 wrote to memory of 600	1540	cmd.exe	54
PID 1540 wrote to memory of 600	1540	cmd.exe	54
PID 600 wrote to memory of 1580	600	747.exe	55
PID 600 wrote to memory of 1580	600	747.exe	55
PID 600 wrote to memory of 1580	600	747.exe	55
PID 600 wrote to memory of 1580	600	747.exe	55

C:\Users\Admin\AppData\Local\Temp\747.exe
"C:\Users\Admin\AppData\Local\Temp\747.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\747.exe
    "C:\Users\Admin\AppData\Local\Temp\747.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        7⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        12⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        13⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        16⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        17⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        18⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        20⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        21⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        22⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        23⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        24⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        25⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        27⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        28⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        29⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        31⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        32⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        33⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        34⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        35⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        37⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        38⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        39⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        41⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        42⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        43⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        45⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        47⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        48⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        49⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        50⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        51⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        53⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        56⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        57⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        62⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        63⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        65⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        68⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        69⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        72⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        74⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        76⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        78⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        79⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        81⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        82⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        84⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        85⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        87⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        88⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        89⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        90⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        91⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        92⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        93⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        94⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        95⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        96⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        97⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        98⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        99⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        100⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        101⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        102⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        103⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        104⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        105⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        106⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        107⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        108⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        109⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        110⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        111⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        112⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        113⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        114⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        115⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        116⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        117⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        118⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        119⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        120⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        121⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        122⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        123⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        124⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        125⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        126⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        127⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        128⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        129⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        130⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        131⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        132⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        133⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        134⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        135⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        136⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        137⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        138⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        139⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        140⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        141⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        142⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        143⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        144⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        145⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        146⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        147⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        148⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        149⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        150⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        151⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        152⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        153⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        154⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        155⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        156⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        157⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        158⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        159⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        160⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        161⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        162⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        163⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        164⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        165⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        166⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        167⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        168⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        169⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        170⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        171⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        172⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        173⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        174⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        175⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        176⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        177⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        178⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        179⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        180⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        181⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        182⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        183⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        184⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        185⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        186⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        187⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        188⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        189⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        190⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        191⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        192⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        193⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        194⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        195⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        196⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        197⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        198⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        199⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        200⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        201⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        202⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        203⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        204⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        205⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        206⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        207⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        208⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        209⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        210⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        211⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        212⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        213⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        214⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        215⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        216⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        217⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        218⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        219⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        220⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        221⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        222⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        223⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        224⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        225⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        226⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        227⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        228⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        229⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        230⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        231⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        232⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        233⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        234⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        235⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        236⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        237⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        238⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        239⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        240⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        241⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        242⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        243⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        244⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        245⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        246⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        247⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        248⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        249⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        250⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        251⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        252⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        253⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        254⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        255⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        256⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        257⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        258⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        259⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        260⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        261⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        262⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        263⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        264⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        265⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        266⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        267⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        268⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        269⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        270⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        271⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        272⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        273⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        274⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        275⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        276⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        277⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        278⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        279⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        280⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        281⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        282⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        283⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        284⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        285⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        286⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        287⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        288⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        289⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        290⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        291⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        292⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        293⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        294⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        295⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        296⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        297⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        298⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        299⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        300⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        301⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        302⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        303⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        304⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        305⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        306⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        307⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        308⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        309⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        310⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        311⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        312⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        313⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        314⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        315⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        316⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        317⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        318⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        319⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        320⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        321⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        322⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        323⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        324⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        325⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        326⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        327⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        328⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        329⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        330⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        331⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        332⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        333⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        334⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        335⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        336⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        337⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        338⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        339⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        340⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        341⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        342⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        343⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        344⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        345⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        346⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        347⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        348⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        349⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        350⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        351⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        352⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        353⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        354⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        355⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        356⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        357⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        358⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        359⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        360⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        361⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        362⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        363⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        364⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        365⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        366⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        367⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        368⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        369⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        370⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        371⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        372⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        373⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        374⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        375⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        376⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        377⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        378⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        379⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        380⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        381⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        382⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        383⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        384⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        385⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        386⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        387⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        388⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        389⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        390⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        391⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        392⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        393⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        394⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        395⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        396⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        397⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        398⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        399⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        400⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        401⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        402⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        403⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        404⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        405⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        406⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        407⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        408⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        409⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        410⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        411⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        412⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        413⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        414⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        415⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        416⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        417⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        418⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        419⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        420⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        421⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        422⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        423⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        424⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        425⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        426⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        427⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        428⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        429⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        430⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        431⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        432⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        433⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        434⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        435⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        436⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        437⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        438⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        439⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        440⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        441⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        442⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        443⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        444⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        445⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        446⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        447⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        448⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        449⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        450⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        451⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        452⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        453⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        454⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        455⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        456⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        457⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        458⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        459⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        460⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        461⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        462⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        463⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        464⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        465⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        466⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        467⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        468⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        469⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        470⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        471⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        472⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        473⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        474⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        475⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        476⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        477⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        478⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        479⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        480⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        481⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        482⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        483⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        484⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        485⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        486⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        487⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        488⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        489⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        490⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        491⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        492⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        493⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        494⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        495⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        496⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        497⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        498⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        499⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        500⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        501⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        502⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        503⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        504⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        505⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        506⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        507⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        508⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        509⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        510⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\747.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747.exe"
        511⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\Admin\AppData\Local\Temp\747.exe" & EXIT
        512⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        512⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        510⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        508⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        506⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        504⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        502⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        500⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        498⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        496⤵
        
        PID:620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        494⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        492⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        490⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        488⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        486⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        484⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        482⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        480⤵
        
        PID:600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        478⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        476⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        474⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        472⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\2lmnfokn.wzm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2lmnfokn.wzm.exe"
        472⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        470⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        468⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        466⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        464⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        462⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\fjzxhpbw.34h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fjzxhpbw.34h.exe"
        462⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        460⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\xf3f3bff.yld.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xf3f3bff.yld.exe"
        460⤵
        
        PID:580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        458⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\tq0eeb3j.z22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tq0eeb3j.z22.exe"
        458⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        456⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\j5b3q0w0.f5x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j5b3q0w0.f5x.exe"
        456⤵
        
        PID:780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        454⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\5q3uro4p.nkn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5q3uro4p.nkn.exe"
        454⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        452⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\4jufjf2i.s3a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4jufjf2i.s3a.exe"
        452⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        450⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\psx1bm4m.m5e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\psx1bm4m.m5e.exe"
        450⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        448⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3lpjwrte.xxs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3lpjwrte.xxs.exe"
        448⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        446⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\a2mgbddy.qs4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a2mgbddy.qs4.exe"
        446⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        444⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\juqxeckg.2qn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\juqxeckg.2qn.exe"
        444⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        442⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\gsi022vw.lo4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gsi022vw.lo4.exe"
        442⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        440⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\u3yp00fw.dau.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3yp00fw.dau.exe"
        440⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        438⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\fbn0nghm.hoo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fbn0nghm.hoo.exe"
        438⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        436⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\aesesxad.wcr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aesesxad.wcr.exe"
        436⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        434⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\5dpmaxy4.5qw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5dpmaxy4.5qw.exe"
        434⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        432⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\a1th4uoc.dlw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a1th4uoc.dlw.exe"
        432⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        430⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\wlummluk.h0w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wlummluk.h0w.exe"
        430⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        428⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\i2tw0wej.qtv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i2tw0wej.qtv.exe"
        428⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        426⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\ufk0rngb.c32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ufk0rngb.c32.exe"
        426⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        424⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\un1bw5ev.y5v.exe
        
        "C:\Users\Admin\AppData\Local\Temp\un1bw5ev.y5v.exe"
        424⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        422⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\dkezlr3q.whi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dkezlr3q.whi.exe"
        422⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        420⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\0slbhlfk.why.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0slbhlfk.why.exe"
        420⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        418⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\axr240id.lfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\axr240id.lfx.exe"
        418⤵
        
        PID:836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        416⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\gwvc55ss.mxd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gwvc55ss.mxd.exe"
        416⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        414⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\uksmbwpk.bjb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uksmbwpk.bjb.exe"
        414⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        412⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\glhkl1je.hc5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\glhkl1je.hc5.exe"
        412⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        410⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\chcttsk2.0xp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chcttsk2.0xp.exe"
        410⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        408⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\drdispfh.frp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\drdispfh.frp.exe"
        408⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        406⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\bf4kmwcd.trj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bf4kmwcd.trj.exe"
        406⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        404⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\uvjhfj0n.wgo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uvjhfj0n.wgo.exe"
        404⤵
        
        PID:496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        402⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\zruq3qjp.qo1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zruq3qjp.qo1.exe"
        402⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        400⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\ewkcksml.u5u.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ewkcksml.u5u.exe"
        400⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        398⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\rrt0bdas.x0m.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rrt0bdas.x0m.exe"
        398⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        396⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\vj2ola3i.oo3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vj2ola3i.oo3.exe"
        396⤵
        
        PID:712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        394⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\rkcvofsc.32l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rkcvofsc.32l.exe"
        394⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        392⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\4pdhbw1x.kew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4pdhbw1x.kew.exe"
        392⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        390⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\affmfckl.nsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\affmfckl.nsn.exe"
        390⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        388⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\ml4b2avt.utg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ml4b2avt.utg.exe"
        388⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        386⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\n5xd5ehm.bfu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\n5xd5ehm.bfu.exe"
        386⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        384⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\451vlvtt.xy4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\451vlvtt.xy4.exe"
        384⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        382⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\wynh4nqc.iig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wynh4nqc.iig.exe"
        382⤵
        
        PID:332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        380⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\jz35s5fq.rk3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jz35s5fq.rk3.exe"
        380⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        378⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\kh1emgbw.ht4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kh1emgbw.ht4.exe"
        378⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        376⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\d004pxec.adm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d004pxec.adm.exe"
        376⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        374⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\asszcgxv.j4g.exe
        
        "C:\Users\Admin\AppData\Local\Temp\asszcgxv.j4g.exe"
        374⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        372⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\34142rif.cns.exe
        
        "C:\Users\Admin\AppData\Local\Temp\34142rif.cns.exe"
        372⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        370⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\ltfu4iqt.mh3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ltfu4iqt.mh3.exe"
        370⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        368⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\lgkhxzdb.0uv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lgkhxzdb.0uv.exe"
        368⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        366⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\gjsfnu1c.iyl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gjsfnu1c.iyl.exe"
        366⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        364⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\0dhjolbu.0to.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0dhjolbu.0to.exe"
        364⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        362⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\30ynjpvy.obw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\30ynjpvy.obw.exe"
        362⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        360⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\lcvsbdfr.4xb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lcvsbdfr.4xb.exe"
        360⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        358⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\gqbogcuv.t0k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gqbogcuv.t0k.exe"
        358⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        356⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\bhp54aic.qms.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bhp54aic.qms.exe"
        356⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        354⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\ief5ga2f.xgu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ief5ga2f.xgu.exe"
        354⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        352⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\bvl2anlk.cl2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvl2anlk.cl2.exe"
        352⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        350⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\1hmrvbxd.jot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1hmrvbxd.jot.exe"
        350⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        348⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\hbjg53wp.qak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hbjg53wp.qak.exe"
        348⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        346⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3fvmyw0b.kpj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3fvmyw0b.kpj.exe"
        346⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        344⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\cxmvskoh.jl3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxmvskoh.jl3.exe"
        344⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        342⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\rvbygwh0.bpv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rvbygwh0.bpv.exe"
        342⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        340⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\sra14otz.0ar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sra14otz.0ar.exe"
        340⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        338⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\hrbovsck.p4x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hrbovsck.p4x.exe"
        338⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        336⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\2zh1q0n3.3gg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2zh1q0n3.3gg.exe"
        336⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        334⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3czvqkls.3sx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3czvqkls.3sx.exe"
        334⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        332⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\raudjdyh.soy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\raudjdyh.soy.exe"
        332⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        330⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\xct5mct1.fzg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xct5mct1.fzg.exe"
        330⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        328⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\4ac23kw2.b0s.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ac23kw2.b0s.exe"
        328⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        326⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\pkw5ivyx.n5w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pkw5ivyx.n5w.exe"
        326⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        324⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\oemyoiu3.aiu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oemyoiu3.aiu.exe"
        324⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        322⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\0rpskdm0.bvy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0rpskdm0.bvy.exe"
        322⤵
        
        PID:936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        320⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\orggrtto.5ts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\orggrtto.5ts.exe"
        320⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        318⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\w0r3j3r3.0nw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\w0r3j3r3.0nw.exe"
        318⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        316⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\4hbdovaz.ku5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4hbdovaz.ku5.exe"
        316⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        314⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\51lbvq0y.scs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51lbvq0y.scs.exe"
        314⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        312⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\zi3w2aai.g0h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zi3w2aai.g0h.exe"
        312⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        310⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\ak4p0rfx.s3c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ak4p0rfx.s3c.exe"
        310⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        308⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\snredqme.td3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\snredqme.td3.exe"
        308⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        306⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\oso5u2hw.ni0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oso5u2hw.ni0.exe"
        306⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        304⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\lvnrchwb.rx0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lvnrchwb.rx0.exe"
        304⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        302⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\x4aashm5.5qx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x4aashm5.5qx.exe"
        302⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        300⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\yo2kyhni.ehn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yo2kyhni.ehn.exe"
        300⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        298⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\z0xshjyz.t3y.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z0xshjyz.t3y.exe"
        298⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        296⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\gwfnlsx5.ftx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gwfnlsx5.ftx.exe"
        296⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        294⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\ykbvilna.ite.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ykbvilna.ite.exe"
        294⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        292⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\bdg4qr3y.phy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bdg4qr3y.phy.exe"
        292⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        290⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\5mb3mng0.11o.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5mb3mng0.11o.exe"
        290⤵
        
        PID:848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        288⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\fwiacurg.rl5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fwiacurg.rl5.exe"
        288⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        286⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\crtpglal.3ct.exe
        
        "C:\Users\Admin\AppData\Local\Temp\crtpglal.3ct.exe"
        286⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        284⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\deihdg4d.eag.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deihdg4d.eag.exe"
        284⤵
        
        PID:292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        282⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\k4mypx1k.xij.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k4mypx1k.xij.exe"
        282⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        280⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\0nzncm0h.x5n.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0nzncm0h.x5n.exe"
        280⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        278⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\i5dxrlzo.mtl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i5dxrlzo.mtl.exe"
        278⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        276⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\4b1m50xp.i2w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b1m50xp.i2w.exe"
        276⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        274⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\if3l0izq.3wy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\if3l0izq.3wy.exe"
        274⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        272⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\5qagat4b.veq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5qagat4b.veq.exe"
        272⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        270⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\mt2rjatq.xmj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mt2rjatq.xmj.exe"
        270⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        268⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\3hwra5q4.qio.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3hwra5q4.qio.exe"
        268⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        266⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\4vbhkzm5.2rv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4vbhkzm5.2rv.exe"
        266⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        264⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\ga14m1hp.32q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ga14m1hp.32q.exe"
        264⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        262⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\opjb4r0s.cg2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opjb4r0s.cg2.exe"
        262⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        260⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\hkvkvr0v.xzm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hkvkvr0v.xzm.exe"
        260⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        258⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\ppz0xp4w.ikm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ppz0xp4w.ikm.exe"
        258⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        256⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\hdq0jsql.0z4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hdq0jsql.0z4.exe"
        256⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        254⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\15mafy1j.wfv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\15mafy1j.wfv.exe"
        254⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        252⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\emdo2c01.izk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\emdo2c01.izk.exe"
        252⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        250⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\snrbsa3v.nbb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\snrbsa3v.nbb.exe"
        250⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        248⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\kpamj2di.crd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kpamj2di.crd.exe"
        248⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        246⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\5nd2cmog.jmw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5nd2cmog.jmw.exe"
        246⤵
        
        PID:712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        244⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\cyl42m4e.3cz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cyl42m4e.3cz.exe"
        244⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        242⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\dfow4gxk.w1v.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dfow4gxk.w1v.exe"
        242⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        240⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\1zpbu3dp.sg4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1zpbu3dp.sg4.exe"
        240⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        238⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\wd4vumrv.qel.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wd4vumrv.qel.exe"
        238⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        236⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\crkwlvuf.22h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\crkwlvuf.22h.exe"
        236⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        234⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\myuhojpq.fqt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\myuhojpq.fqt.exe"
        234⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        232⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\41m004nk.ibv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41m004nk.ibv.exe"
        232⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        230⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\ci4psyyt.ilr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ci4psyyt.ilr.exe"
        230⤵
        
        PID:840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        228⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\uok3jovi.bzl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uok3jovi.bzl.exe"
        228⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        226⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\zhjlow2y.qzy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zhjlow2y.qzy.exe"
        226⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        224⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\s35kpujq.sy3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s35kpujq.sy3.exe"
        224⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        222⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\12ntq2ps.3ab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\12ntq2ps.3ab.exe"
        222⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        220⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\aizr0fw2.qs2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aizr0fw2.qs2.exe"
        220⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        218⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\0zpezloi.5z3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0zpezloi.5z3.exe"
        218⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        216⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\arut5vda.2pl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\arut5vda.2pl.exe"
        216⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        214⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\qjkqanzx.mq2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qjkqanzx.mq2.exe"
        214⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        212⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\jqh50awv.sri.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jqh50awv.sri.exe"
        212⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        210⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\i3103d1e.tb5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i3103d1e.tb5.exe"
        210⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        208⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\g45roa50.b5p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\g45roa50.b5p.exe"
        208⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        206⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\t4uzf5ft.epf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\t4uzf5ft.epf.exe"
        206⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        204⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\vbipx334.tgm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vbipx334.tgm.exe"
        204⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        202⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\jrrmxhq4.nwl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jrrmxhq4.nwl.exe"
        202⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        200⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\hq1q1klq.3eg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hq1q1klq.3eg.exe"
        200⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        198⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\albb2pji.h0w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\albb2pji.h0w.exe"
        198⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        196⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\fztxpvn1.rgp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fztxpvn1.rgp.exe"
        196⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        194⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\p3e2tsej.laj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p3e2tsej.laj.exe"
        194⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        192⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\f4142b2w.yas.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f4142b2w.yas.exe"
        192⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        190⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\pg3snaw2.e0h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pg3snaw2.e0h.exe"
        190⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        188⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\nlavtedy.2xk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nlavtedy.2xk.exe"
        188⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        186⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\441cqmrk.al0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\441cqmrk.al0.exe"
        186⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        184⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\p53b3vej.3pw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p53b3vej.3pw.exe"
        184⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        182⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\12u4uazo.lzd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\12u4uazo.lzd.exe"
        182⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        180⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\4jyw32jc.5o2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4jyw32jc.5o2.exe"
        180⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        178⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\ayc2dcei.cks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ayc2dcei.cks.exe"
        178⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        176⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\wnuaq2bs.min.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wnuaq2bs.min.exe"
        176⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        174⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\a30raoge.cyh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a30raoge.cyh.exe"
        174⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        172⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\ks3si1sm.wzo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ks3si1sm.wzo.exe"
        172⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        170⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\og2xj4be.d3j.exe
        
        "C:\Users\Admin\AppData\Local\Temp\og2xj4be.d3j.exe"
        170⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        168⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\sle3ctcq.bf3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sle3ctcq.bf3.exe"
        168⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        166⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\haysrbfk.g5s.exe
        
        "C:\Users\Admin\AppData\Local\Temp\haysrbfk.g5s.exe"
        166⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        164⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\znojw4km.5gp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\znojw4km.5gp.exe"
        164⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        162⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\30qpqbdz.ikf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\30qpqbdz.ikf.exe"
        162⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        160⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\f3ywrzdu.yob.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f3ywrzdu.yob.exe"
        160⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        158⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\irwr1trn.eve.exe
        
        "C:\Users\Admin\AppData\Local\Temp\irwr1trn.eve.exe"
        158⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        156⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\nkxcowmb.c0o.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nkxcowmb.c0o.exe"
        156⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        154⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\cquivxyx.unp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cquivxyx.unp.exe"
        154⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        152⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\gtdyzdbx.jxj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gtdyzdbx.jxj.exe"
        152⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        150⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\gxnth3ip.22a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gxnth3ip.22a.exe"
        150⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        148⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\a4vmlkv3.vyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a4vmlkv3.vyy.exe"
        148⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        146⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\cgkoc30f.y4f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cgkoc30f.y4f.exe"
        146⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        144⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\spyo1may.2b3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\spyo1may.2b3.exe"
        144⤵
        
        PID:292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        142⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\gck0hlzq.nar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gck0hlzq.nar.exe"
        142⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        140⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\twnsqo5d.1o5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\twnsqo5d.1o5.exe"
        140⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        138⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\wj1qjhre.tnp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wj1qjhre.tnp.exe"
        138⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        136⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\h5ntl0ga.cwq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\h5ntl0ga.cwq.exe"
        136⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        134⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\f413gjzx.oni.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f413gjzx.oni.exe"
        134⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        132⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\egwcqyp2.dmu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\egwcqyp2.dmu.exe"
        132⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        130⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3enklvku.5xf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3enklvku.5xf.exe"
        130⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        128⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\n1xp1udv.l42.exe
        
        "C:\Users\Admin\AppData\Local\Temp\n1xp1udv.l42.exe"
        128⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        126⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tzdx51zd.4ra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tzdx51zd.4ra.exe"
        126⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        124⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\am15jyqn.b21.exe
        
        "C:\Users\Admin\AppData\Local\Temp\am15jyqn.b21.exe"
        124⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        122⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\glbeip50.nun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\glbeip50.nun.exe"
        122⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        120⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\kdyaxrxu.ye3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kdyaxrxu.ye3.exe"
        120⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        118⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3p1mlwjh.nxu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3p1mlwjh.nxu.exe"
        118⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        116⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\pzfpenru.krf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pzfpenru.krf.exe"
        116⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        114⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\l2wwet2b.aej.exe
        
        "C:\Users\Admin\AppData\Local\Temp\l2wwet2b.aej.exe"
        114⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        112⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\qqq1230p.skz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qqq1230p.skz.exe"
        112⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        110⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\5qpeswcv.3u1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5qpeswcv.3u1.exe"
        110⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        108⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\eygddr32.qje.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eygddr32.qje.exe"
        108⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        106⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\0urejqax.zng.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0urejqax.zng.exe"
        106⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        104⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\5i0bk3ap.q52.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5i0bk3ap.q52.exe"
        104⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        102⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2guts35e.q1j.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2guts35e.q1j.exe"
        102⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        100⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\zmdpy0qm.zva.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zmdpy0qm.zva.exe"
        100⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        98⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\odusqgmf.smf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\odusqgmf.smf.exe"
        98⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        96⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\iwjny1nc.2xt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iwjny1nc.2xt.exe"
        96⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        94⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\fmvd41p3.xsb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fmvd41p3.xsb.exe"
        94⤵
        
        PID:344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        92⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\bpo4yipn.4fw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bpo4yipn.4fw.exe"
        92⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        90⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\sadijjnj.sbn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sadijjnj.sbn.exe"
        90⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        88⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\bmgl22jt.fft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bmgl22jt.fft.exe"
        88⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\wrz3p0za.dn4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wrz3p0za.dn4.exe"
        86⤵
        
        PID:580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        84⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\piumyl13.jym.exe
        
        "C:\Users\Admin\AppData\Local\Temp\piumyl13.jym.exe"
        84⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        82⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\pgflrfth.y1u.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pgflrfth.y1u.exe"
        82⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        80⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\gvode5ss.dyy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gvode5ss.dyy.exe"
        80⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        78⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\w4dfihh2.sby.exe
        
        "C:\Users\Admin\AppData\Local\Temp\w4dfihh2.sby.exe"
        78⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        76⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\api3tln4.g1r.exe
        
        "C:\Users\Admin\AppData\Local\Temp\api3tln4.g1r.exe"
        76⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        74⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\eorkpt2i.ixy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eorkpt2i.ixy.exe"
        74⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        72⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\0g24ltab.d5i.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0g24ltab.d5i.exe"
        72⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        70⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\hv0j0tpu.24e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hv0j0tpu.24e.exe"
        70⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        68⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\4i2xct3u.jvd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4i2xct3u.jvd.exe"
        68⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        66⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\dbwzydki.2i5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dbwzydki.2i5.exe"
        66⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        64⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\cgq5d4qe.wlk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cgq5d4qe.wlk.exe"
        64⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        62⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\jzbdgiht.p2c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jzbdgiht.p2c.exe"
        62⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        60⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\1hpzeic1.huh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1hpzeic1.huh.exe"
        60⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        58⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\sedzygot.rhu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sedzygot.rhu.exe"
        58⤵
        
        PID:3336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "shellhost" /tr '"C:\Users\Admin\AppData\Local\Temp\shellhost.exe"' & exit
        59⤵
        
        PID:3944
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "shellhost" /tr '"C:\Users\Admin\AppData\Local\Temp\shellhost.exe"'
        60⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        56⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\5b5q2ho3.dpx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5b5q2ho3.dpx.exe"
        56⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        54⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\c3hmpvnm.in4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c3hmpvnm.in4.exe"
        54⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        52⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\syzs00s2.gyw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\syzs00s2.gyw.exe"
        52⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        50⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\5m0gaqkm.nxm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5m0gaqkm.nxm.exe"
        50⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        48⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\24jsgtwo.jdq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\24jsgtwo.jdq.exe"
        48⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        46⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\ma3cf5b5.3tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ma3cf5b5.3tm.exe"
        46⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        44⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\ukxgfzxe.ndz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ukxgfzxe.ndz.exe"
        44⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        42⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\4v4oed1n.rgt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4v4oed1n.rgt.exe"
        42⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        40⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\ntspou0y.0hc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ntspou0y.0hc.exe"
        40⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        38⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\lyeym3pn.a5u.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lyeym3pn.a5u.exe"
        38⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        36⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\l1hz1wyd.f5q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\l1hz1wyd.f5q.exe"
        36⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        34⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\qof3u1dd.fvq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qof3u1dd.fvq.exe"
        34⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        32⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\oi3bjlmn.o5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oi3bjlmn.o5d.exe"
        32⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        30⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\iwcdajxf.ldj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iwcdajxf.ldj.exe"
        30⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\52tixhym.3re.exe
        
        "C:\Users\Admin\AppData\Local\Temp\52tixhym.3re.exe"
        28⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        26⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\qbuwib1g.q2j.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qbuwib1g.q2j.exe"
        26⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        24⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\sgeymxi2.rgg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sgeymxi2.rgg.exe"
        24⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\qgudgtdf.smn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qgudgtdf.smn.exe"
        22⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        20⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\t5j1a2ew.1sy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\t5j1a2ew.1sy.exe"
        20⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\djypbdy2.aev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\djypbdy2.aev.exe"
        18⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\qi1he4ss.v0e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qi1he4ss.v0e.exe"
        16⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\0cwn4jsb.ikn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0cwn4jsb.ikn.exe"
        14⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tftpwp3k.dik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftpwp3k.dik.exe"
        12⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\jwo3uvqg.t2d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jwo3uvqg.t2d.exe"
        10⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\yjjvfrq3.kc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yjjvfrq3.kc3.exe"
        8⤵
        Executes dropped EXE
        
        PID:2844
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\4ccmmfk5.kzk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ccmmfk5.kzk.exe"
        6⤵
        Executes dropped EXE
        
        PID:1556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\gwynp01f.pqy.exe
      "C:\Users\Admin\AppData\Local\Temp\gwynp01f.pqy.exe"
      4⤵
      Executes dropped EXE
      PID:4084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "shellhost" /tr '"C:\Users\Admin\AppData\Local\Temp\shellhost.exe"' & exit
        5⤵
        
        PID:2740
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "shellhost" /tr '"C:\Users\Admin\AppData\Local\Temp\shellhost.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp315D.tmp.bat""
        5⤵
        
        PID:2728
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\shellhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\shellhost.exe"
        6⤵
        
        PID:3688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\p03n21uj.a2n.exe
  "C:\Users\Admin\AppData\Local\Temp\p03n21uj.a2n.exe"
  2⤵
  - Executes dropped EXE
  PID:3372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15132271141555592632361846749200187436-727318162-2035981776-1678318508-1646014486"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9536647831480671327829675-2927629601489562130-183628839-2086459445-345091455"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1879355681249391706216336488-2077456769-195153879483534369217576830301929614167"
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1932978992199707994131202493519243849982981555481923557376-1477429219-834469262"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1692007675-130986595735121627911203248721087922155838641191195393822-396647847"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6485686-814310476408899735-214043862-1018003247-163390015811450420671830154291"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1652397960-462024977-1450399056-1844832259-468356491-21126258571147025049-1398160822"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "968793777-1350287475805930881111514136135781686194759673854648953774337654"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1060105647-791494824-1637359417998550525-1769134844451332414-5758591401929913827"
1⤵
PID:3688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1759957216648863233250390147-169067060-97687409715103784721455327014-429352769"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1756911650-1099065901018884902-927726559934698276-1199637402-9461732401228898755"
1⤵
PID:3788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16893992064452571552076072820-506220055-101682691056474425118403246482084292732"
1⤵
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1469131551-17235803732102443735761736942671094318726970511478472254-183346069"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15024847411423414546-376860976-18593830901355409525578805629772275040401840860"
1⤵
PID:3136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1227795960194454922616473485542114011816-2098050566850827081-16065521401004665699"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "119623065817953953001015229565-169896335130635280321005217694197467641487528940"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13931855652058461044-283633278-914550150665706343-155375815-1606281628971538496"
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp315D.tmp.bat

Filesize
156B

MD5
e19442052966ae6825dc32393bdb26c2

SHA1
19f5ede2f34de71bf89c9eaeb8c3138adcce7b5a

SHA256
6bda1416b34646335b24d438ed1bd5b6a3f660325e63e4c1fa75223306f54eb1

SHA512
12ca94651dcf924769aa85c7cd3a074cee4cbb77df3ab688c2f97142a793d8562b529bc237c0934b799ffa48b4adcd46f32c844a16765f1028487d5d52338bca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e3defce311b1aef27131247c1724bce1

SHA1
e073c35d06ced4015945884b1c78df64e402e147

SHA256
2d71041241957cff788a7f0ada88b51530425e240c6bc55e31a114deb11ca464

SHA512
d9bdebee8f0340b49721f51ec9a01a72583ce07d79df13365f684e263fd912ec5221032027314690830b8c261a1813d9cdcba6f700c0cd202deada0a15c57cf8

Download Submit
\Users\Admin\AppData\Local\Temp\jwo3uvqg.t2d.exe

Filesize
47KB

MD5
aee44a0b550b02be63266fc037ca5181

SHA1
de9ebe138df221eef0aecd17f27f3f664e3b0320

SHA256
8f290b28a690c526a43027c225ff12bcfcb3c0d6a5ece89f73f69940afc5f122

SHA512
350383101f46a12be9b83cf7e3ba950e7b6e413ead56a018c43a6b49705f8744fa730535146dcc2785b5180266190bf8029a28d0375e38e6ca6b3974c984e80c

Download Submit
memory/292-692-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download
memory/344-500-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/580-466-0x0000000000900000-0x0000000000912000-memory.dmp

Filesize
72KB

Download
memory/840-992-0x00000000001B0000-0x00000000001C2000-memory.dmp

Filesize
72KB

Download
memory/1032-815-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/1072-294-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/1300-639-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/1316-514-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1556-213-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download
memory/1576-656-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/1624-876-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/1640-239-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/1672-397-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1740-841-0x0000000000960000-0x0000000000972000-memory.dmp

Filesize
72KB

Download
memory/1840-564-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/1864-890-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/1880-1024-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/1992-691-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/1996-970-0x0000000001280000-0x0000000001292000-memory.dmp

Filesize
72KB

Download
memory/2000-604-0x00000000009B0000-0x00000000009C2000-memory.dmp

Filesize
72KB

Download
memory/2012-231-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/2012-459-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/2068-488-0x0000000001390000-0x00000000013A2000-memory.dmp

Filesize
72KB

Download
memory/2160-402-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download
memory/2232-638-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2276-1-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2276-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/2336-475-0x00000000011C0000-0x00000000011D2000-memory.dmp

Filesize
72KB

Download
memory/2392-207-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2392-752-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2396-971-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/2424-289-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/2452-725-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/2560-526-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2564-513-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/2596-663-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/2600-821-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2688-202-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/2760-293-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/2808-179-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-4-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-190-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2848-695-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2896-676-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

Filesize
72KB

Download
memory/2936-376-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/3012-467-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/3016-857-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/3060-833-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/3096-384-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/3104-566-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download
memory/3152-693-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/3160-448-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/3272-881-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/3292-791-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/3312-248-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/3320-443-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/3336-379-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/3360-972-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/3372-210-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/3384-722-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/3388-855-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/3432-923-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/3456-509-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download
memory/3460-212-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/3480-912-0x00000000013C0000-0x00000000013D2000-memory.dmp

Filesize
72KB

Download
memory/3480-259-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/3520-442-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3528-761-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/3536-428-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/3620-799-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/3660-218-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/3700-403-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/3736-646-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/3744-728-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/3760-280-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

Filesize
72KB

Download
memory/3796-219-0x00000000010A0000-0x00000000010B2000-memory.dmp

Filesize
72KB

Download
memory/3808-721-0x00000000012B0000-0x00000000012C2000-memory.dmp

Filesize
72KB

Download
memory/3820-396-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/3820-510-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/3844-660-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/3848-593-0x0000000000040000-0x0000000000052000-memory.dmp

Filesize
72KB

Download
memory/3872-468-0x0000000001200000-0x0000000001212000-memory.dmp

Filesize
72KB

Download
memory/3876-160-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/3892-272-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/3900-268-0x00000000000A0000-0x00000000000B2000-memory.dmp

Filesize
72KB

Download
memory/3952-763-0x0000000001240000-0x0000000001252000-memory.dmp

Filesize
72KB

Download
memory/3976-493-0x0000000000C30000-0x0000000000C42000-memory.dmp

Filesize
72KB

Download
memory/3992-630-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/4004-498-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/4008-292-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/4020-251-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/4024-951-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/4040-265-0x0000000001170000-0x0000000001182000-memory.dmp

Filesize
72KB

Download
memory/4056-176-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/4080-458-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download
memory/4084-191-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download