ardamax | f619e625c73d1cdb069792c0d582cc206e7d7f009de1b4268918c437f1fabeea

Analysis

max time kernel
12s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe
Size

1.2MB
MD5

7b8ab805d1f05e438993fd4f25b60827
SHA1

988f6c403a8981b23782ba92e6da9636383e8a6d
SHA256

f619e625c73d1cdb069792c0d582cc206e7d7f009de1b4268918c437f1fabeea
SHA512

500d6101c8d308327e026d1dd68f7188ff6fec9f54a406b11cefb8e2e9f9def838747553bf4c7011e83650d2862281c0088dbede7593b0001d32fa1e900ea3e0
SSDEEP

24576:UW8dHfxwJKzOghaOactYnBwkiXhz/k00c96j5xUwDVR+LNwsdpn:UW8NYdgh6elkRSQ5lDVsLNxT

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000169f5-24.dat	family_ardamax
behavioral1/files/0x0006000000016e1d-56.dat	family_ardamax

Executes dropped EXE 64 IoCs

pid	Process
1852	loader.exe
1844	EGAF.exe
2468	loader.exe
2816	EGAF.exe
2800	loader.exe
1564	loader.exe
2864	EGAF.exe
304	loader.exe
2772	EGAF.exe
2776	EGAF.exe
2660	loader.exe
1340	loader.exe
1260	EGAF.exe
2276	EGAF.exe
2640	loader.exe
2348	EGAF.exe
1688	loader.exe
1292	EGAF.exe
600	loader.exe
1828	EGAF.exe
832	loader.exe
1680	EGAF.exe
2128	loader.exe
1240	EGAF.exe
1604	loader.exe
2388	EGAF.exe
1520	loader.exe
1836	EGAF.exe
2780	loader.exe
2300	EGAF.exe
2124	loader.exe
2808	EGAF.exe
2520	loader.exe
2676	EGAF.exe
2872	loader.exe
2996	EGAF.exe
2656	loader.exe
2944	EGAF.exe
2688	loader.exe
1344	EGAF.exe
1200	loader.exe
1448	EGAF.exe
3052	loader.exe
1996	EGAF.exe
3016	loader.exe
2012	EGAF.exe
2764	loader.exe
940	EGAF.exe
660	loader.exe
1932	EGAF.exe
600	loader.exe
1140	EGAF.exe
752	loader.exe
2064	EGAF.exe
2428	loader.exe
1424	EGAF.exe
2476	loader.exe
1712	EGAF.exe
1636	loader.exe
328	EGAF.exe
1852	loader.exe
2708	EGAF.exe
2532	loader.exe
2636	EGAF.exe

Loads dropped DLL 64 IoCs

pid	Process
2368	7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe
2368	7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe
1852	loader.exe
1852	loader.exe
1852	loader.exe
2468	loader.exe
2468	loader.exe
2468	loader.exe
2800	loader.exe
2800	loader.exe
2800	loader.exe
1564	loader.exe
1564	loader.exe
1564	loader.exe
304	loader.exe
304	loader.exe
1844	EGAF.exe
1844	EGAF.exe
2776	EGAF.exe
2776	EGAF.exe
304	loader.exe
304	loader.exe
304	loader.exe
2660	loader.exe
2660	loader.exe
2660	loader.exe
1340	loader.exe
2864	EGAF.exe
1260	EGAF.exe
1340	loader.exe
1340	loader.exe
1340	loader.exe
2864	EGAF.exe
2276	EGAF.exe
2276	EGAF.exe
2640	loader.exe
2640	loader.exe
2348	EGAF.exe
2348	EGAF.exe
2640	loader.exe
2640	loader.exe
2640	loader.exe
1688	loader.exe
1688	loader.exe
1688	loader.exe
600	loader.exe
1292	EGAF.exe
1292	EGAF.exe
600	loader.exe
1828	EGAF.exe
600	loader.exe
1828	EGAF.exe
600	loader.exe
600	loader.exe
832	loader.exe
832	loader.exe
1680	EGAF.exe
1680	EGAF.exe
832	loader.exe
832	loader.exe
832	loader.exe
2128	loader.exe
2128	loader.exe
1240	EGAF.exe

Adds Run key to start application 2 TTPs 59 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGAF Agent = "C:\\Windows\\SysWOW64\\28463\\EGAF.exe"	EGAF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463	EGAF.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463	EGAF.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463	EGAF.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.006	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463	EGAF.exe
File opened for modification	C:\Windows\SysWOW64\28463	EGAF.exe
File created	C:\Windows\SysWOW64\28463\EGAF.006	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.006	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.006	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.006	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.006	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.001	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.006	loader.exe
File created	C:\Windows\SysWOW64\28463\EGAF.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\28463\EGAF.007	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\TypeLib\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\0\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\Version	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\Version\ = "1.0"	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\0\win64	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\ = "GrooveToolContainerAlpha"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\TypeLib\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\VersionIndependentProgID	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\ = "Kanop"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\InprocServer32\ = "%SystemRoot%\\SysWow64\\iasnap.dll"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\HELPDIR\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\ = "Segonil.Rifazo"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\InProcServer32\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\InprocServer32	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\Programmable\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\0\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\FLAGS\ = "0"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\0\win32	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\FLAGS	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\Version	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\ProgID	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\TypeLib\ = "{50809CF9-EF94-BF8D-DA75-C1930BE92073}"	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\Version	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\TypeLib\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\VersionIndependentProgID\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\ProgID\ = "Shell.Application.1"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\HELPDIR\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\ProgID\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\Version\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\0\win32	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\TypeLib	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\0	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\0\win32	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\Version\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\105"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83CFAA16-A310-469B-E583-2B5112799AB4}\Version\ = "1.1"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\FLAGS\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\HELPDIR	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\VersionIndependentProgID\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\FLAGS	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\80"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\InprocServer32\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50809CF9-EF94-BF8D-DA75-C1930BE92073}\1.0\FLAGS	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\VersionIndependentProgID	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6ED22B9F-76F1-07E3-86EE-C4CC7B7B5314}\1.0\ = "Groove Telespace Members 1.0 Type Library"	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63804EEB-1FBD-4D62-9783-5A17660E1515}\Programmable	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\atl.dll"	EGAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\HELPDIR	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\ProgID\ = "IAS.EAPTypes.1"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\0\win32\	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27071857-E1D7-457C-5289-FFE08FC20A62}\VersionIndependentProgID\ = "IAS.EAPTypes"	EGAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{829FA2E0-3ED1-4DA3-7C82-1507C48C3BA6}\1.0\HELPDIR\ = "%SYSTEMROOT%\\"	EGAF.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1844	EGAF.exe
Token: SeIncBasePriorityPrivilege	1844	EGAF.exe
Token: 33	2864	EGAF.exe
Token: SeIncBasePriorityPrivilege	2864	EGAF.exe
Token: 33	2348	EGAF.exe
Token: SeIncBasePriorityPrivilege	2348	EGAF.exe
Token: 33	1292	EGAF.exe
Token: SeIncBasePriorityPrivilege	1292	EGAF.exe
Token: 33	1828	EGAF.exe
Token: SeIncBasePriorityPrivilege	1828	EGAF.exe
Token: 33	1680	EGAF.exe
Token: SeIncBasePriorityPrivilege	1680	EGAF.exe
Token: 33	1240	EGAF.exe
Token: SeIncBasePriorityPrivilege	1240	EGAF.exe
Token: 33	2388	EGAF.exe
Token: SeIncBasePriorityPrivilege	2388	EGAF.exe
Token: 33	1836	EGAF.exe
Token: SeIncBasePriorityPrivilege	1836	EGAF.exe
Token: 33	2808	EGAF.exe
Token: SeIncBasePriorityPrivilege	2808	EGAF.exe
Token: 33	2996	EGAF.exe
Token: SeIncBasePriorityPrivilege	2996	EGAF.exe
Token: 33	2944	EGAF.exe
Token: SeIncBasePriorityPrivilege	2944	EGAF.exe
Token: 33	1344	EGAF.exe
Token: SeIncBasePriorityPrivilege	1344	EGAF.exe
Token: 33	1448	EGAF.exe
Token: SeIncBasePriorityPrivilege	1448	EGAF.exe
Token: 33	1996	EGAF.exe
Token: SeIncBasePriorityPrivilege	1996	EGAF.exe
Token: 33	940	EGAF.exe
Token: SeIncBasePriorityPrivilege	940	EGAF.exe
Token: 33	1932	EGAF.exe
Token: SeIncBasePriorityPrivilege	1932	EGAF.exe
Token: 33	1140	EGAF.exe
Token: SeIncBasePriorityPrivilege	1140	EGAF.exe
Token: 33	1424	EGAF.exe
Token: SeIncBasePriorityPrivilege	1424	EGAF.exe
Token: 33	1712	EGAF.exe
Token: SeIncBasePriorityPrivilege	1712	EGAF.exe
Token: 33	2708	EGAF.exe
Token: SeIncBasePriorityPrivilege	2708	EGAF.exe
Token: 33	2596	EGAF.exe
Token: SeIncBasePriorityPrivilege	2596	EGAF.exe
Token: 33	2968	EGAF.exe
Token: SeIncBasePriorityPrivilege	2968	EGAF.exe
Token: 33	1988	EGAF.exe
Token: SeIncBasePriorityPrivilege	1988	EGAF.exe
Token: 33	1432	EGAF.exe
Token: SeIncBasePriorityPrivilege	1432	EGAF.exe
Token: 33	1440	EGAF.exe
Token: SeIncBasePriorityPrivilege	1440	EGAF.exe
Token: 33	1280	EGAF.exe
Token: SeIncBasePriorityPrivilege	1280	EGAF.exe
Token: 33	2456	EGAF.exe
Token: SeIncBasePriorityPrivilege	2456	EGAF.exe
Token: 33	2128	EGAF.exe
Token: SeIncBasePriorityPrivilege	2128	EGAF.exe
Token: 33	1180	EGAF.exe
Token: SeIncBasePriorityPrivilege	1180	EGAF.exe
Token: 33	2544	EGAF.exe
Token: SeIncBasePriorityPrivilege	2544	EGAF.exe
Token: 33	2836	EGAF.exe
Token: SeIncBasePriorityPrivilege	2836	EGAF.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1844	EGAF.exe
1844	EGAF.exe
1844	EGAF.exe
1844	EGAF.exe
1844	EGAF.exe
2864	EGAF.exe
2864	EGAF.exe
2864	EGAF.exe
2864	EGAF.exe
2864	EGAF.exe
2348	EGAF.exe
2348	EGAF.exe
2348	EGAF.exe
2348	EGAF.exe
2348	EGAF.exe
1292	EGAF.exe
1292	EGAF.exe
1292	EGAF.exe
1292	EGAF.exe
1292	EGAF.exe
1828	EGAF.exe
1828	EGAF.exe
1828	EGAF.exe
1828	EGAF.exe
1828	EGAF.exe
1680	EGAF.exe
1680	EGAF.exe
1680	EGAF.exe
1680	EGAF.exe
1680	EGAF.exe
1240	EGAF.exe
1240	EGAF.exe
1240	EGAF.exe
1240	EGAF.exe
1240	EGAF.exe
2388	EGAF.exe
2388	EGAF.exe
2388	EGAF.exe
2388	EGAF.exe
2388	EGAF.exe
1836	EGAF.exe
1836	EGAF.exe
1836	EGAF.exe
1836	EGAF.exe
1836	EGAF.exe
2808	EGAF.exe
2808	EGAF.exe
2808	EGAF.exe
2808	EGAF.exe
2808	EGAF.exe
2996	EGAF.exe
2996	EGAF.exe
2996	EGAF.exe
2996	EGAF.exe
2996	EGAF.exe
2944	EGAF.exe
2944	EGAF.exe
2944	EGAF.exe
2944	EGAF.exe
2944	EGAF.exe
1344	EGAF.exe
1344	EGAF.exe
1344	EGAF.exe
1344	EGAF.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1852	2368	7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1852	2368	7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1852	2368	7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1852	2368	7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe	30
PID 1852 wrote to memory of 1844	1852	loader.exe	31
PID 1852 wrote to memory of 1844	1852	loader.exe	31
PID 1852 wrote to memory of 1844	1852	loader.exe	31
PID 1852 wrote to memory of 1844	1852	loader.exe	31
PID 1852 wrote to memory of 2468	1852	loader.exe	32
PID 1852 wrote to memory of 2468	1852	loader.exe	32
PID 1852 wrote to memory of 2468	1852	loader.exe	32
PID 1852 wrote to memory of 2468	1852	loader.exe	32
PID 2468 wrote to memory of 2816	2468	loader.exe	33
PID 2468 wrote to memory of 2816	2468	loader.exe	33
PID 2468 wrote to memory of 2816	2468	loader.exe	33
PID 2468 wrote to memory of 2816	2468	loader.exe	33
PID 2468 wrote to memory of 2800	2468	loader.exe	34
PID 2468 wrote to memory of 2800	2468	loader.exe	34
PID 2468 wrote to memory of 2800	2468	loader.exe	34
PID 2468 wrote to memory of 2800	2468	loader.exe	34
PID 2800 wrote to memory of 2864	2800	loader.exe	212
PID 2800 wrote to memory of 2864	2800	loader.exe	212
PID 2800 wrote to memory of 2864	2800	loader.exe	212
PID 2800 wrote to memory of 2864	2800	loader.exe	212
PID 2800 wrote to memory of 1564	2800	loader.exe	36
PID 2800 wrote to memory of 1564	2800	loader.exe	36
PID 2800 wrote to memory of 1564	2800	loader.exe	36
PID 2800 wrote to memory of 1564	2800	loader.exe	36
PID 1564 wrote to memory of 2772	1564	loader.exe	1255
PID 1564 wrote to memory of 2772	1564	loader.exe	1255
PID 1564 wrote to memory of 2772	1564	loader.exe	1255
PID 1564 wrote to memory of 2772	1564	loader.exe	1255
PID 1564 wrote to memory of 304	1564	loader.exe	1178
PID 1564 wrote to memory of 304	1564	loader.exe	1178
PID 1564 wrote to memory of 304	1564	loader.exe	1178
PID 1564 wrote to memory of 304	1564	loader.exe	1178
PID 304 wrote to memory of 2776	304	loader.exe	1805
PID 304 wrote to memory of 2776	304	loader.exe	1805
PID 304 wrote to memory of 2776	304	loader.exe	1805
PID 304 wrote to memory of 2776	304	loader.exe	1805
PID 304 wrote to memory of 2660	304	loader.exe	2112
PID 304 wrote to memory of 2660	304	loader.exe	2112
PID 304 wrote to memory of 2660	304	loader.exe	2112
PID 304 wrote to memory of 2660	304	loader.exe	2112
PID 2660 wrote to memory of 1260	2660	loader.exe	2127
PID 2660 wrote to memory of 1260	2660	loader.exe	2127
PID 2660 wrote to memory of 1260	2660	loader.exe	2127
PID 2660 wrote to memory of 1260	2660	loader.exe	2127
PID 2660 wrote to memory of 1340	2660	loader.exe	2262
PID 2660 wrote to memory of 1340	2660	loader.exe	2262
PID 2660 wrote to memory of 1340	2660	loader.exe	2262
PID 2660 wrote to memory of 1340	2660	loader.exe	2262
PID 1340 wrote to memory of 2276	1340	loader.exe	2256
PID 1340 wrote to memory of 2276	1340	loader.exe	2256
PID 1340 wrote to memory of 2276	1340	loader.exe	2256
PID 1340 wrote to memory of 2276	1340	loader.exe	2256
PID 1340 wrote to memory of 2640	1340	loader.exe	2268
PID 1340 wrote to memory of 2640	1340	loader.exe	2268
PID 1340 wrote to memory of 2640	1340	loader.exe	2268
PID 1340 wrote to memory of 2640	1340	loader.exe	2268
PID 2640 wrote to memory of 2348	2640	loader.exe	2275
PID 2640 wrote to memory of 2348	2640	loader.exe	2275
PID 2640 wrote to memory of 2348	2640	loader.exe	2275
PID 2640 wrote to memory of 2348	2640	loader.exe	2275

C:\Users\Admin\AppData\Local\Temp\7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b8ab805d1f05e438993fd4f25b60827_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\28463\EGAF.exe
    "C:\Windows\system32\28463\EGAF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\28463\EGAF.exe
      "C:\Windows\system32\28463\EGAF.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        6⤵
        Executes dropped EXE
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2128
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        17⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        19⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        25⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        29⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        32⤵
        Executes dropped EXE
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        34⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        35⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        37⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        
        PID:532
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        41⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        
        PID:884
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        42⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        43⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        44⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        48⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        49⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        50⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        51⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        52⤵
        Adds Run key to start application
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        54⤵
        Adds Run key to start application
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        55⤵
        Adds Run key to start application
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        57⤵
        Adds Run key to start application
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        58⤵
        Adds Run key to start application
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        59⤵
        Adds Run key to start application
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        61⤵
        Adds Run key to start application
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        62⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        62⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        63⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        63⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        64⤵
        Adds Run key to start application
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        64⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        65⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        65⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        66⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        67⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        67⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        69⤵
        Adds Run key to start application
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        70⤵
        Adds Run key to start application
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        70⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        71⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        72⤵
        Adds Run key to start application
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        72⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        73⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        73⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        74⤵
        
        PID:296
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        75⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        76⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        76⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        77⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        78⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        78⤵
        
        PID:908
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        79⤵
        Adds Run key to start application
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        80⤵
        Adds Run key to start application
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        82⤵
        Adds Run key to start application
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        82⤵
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        83⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        85⤵
        Adds Run key to start application
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        87⤵
        Adds Run key to start application
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        88⤵
        Adds Run key to start application
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        88⤵
        Drops file in System32 directory
        
        PID:304
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        89⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        90⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        90⤵
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        91⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        91⤵
        
        PID:344
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        92⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        92⤵
        
        PID:532
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        93⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        93⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        94⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        94⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        95⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        95⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        96⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        96⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        97⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        97⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        98⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        98⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        99⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        99⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        100⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        100⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        101⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        101⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        102⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        102⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        103⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        103⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        104⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        104⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        105⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        105⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        106⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        106⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        107⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        107⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        108⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        108⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        109⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        109⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        110⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        110⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        111⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        111⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        112⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        112⤵
        
        PID:680
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        113⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        113⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        114⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        114⤵
        
        PID:956
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        115⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        115⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        116⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        116⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        117⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        117⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        118⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        118⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        119⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        119⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        120⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        120⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        121⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        121⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        122⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        122⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        123⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        123⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        124⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        124⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        125⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        125⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        126⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        126⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        127⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        127⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        128⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        128⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        129⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        129⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        130⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        130⤵
        
        PID:308
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        131⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        131⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        132⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        132⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        133⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        133⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        134⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        134⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        135⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        135⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        136⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        136⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        137⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        137⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        138⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        138⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        139⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        139⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        140⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        140⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        141⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        141⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        142⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        142⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        143⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        143⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        144⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        144⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        145⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        145⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        146⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        146⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        147⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        147⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        148⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        148⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        149⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        149⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        150⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        150⤵
        
        PID:300
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        151⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        151⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        152⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        152⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        153⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        153⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        154⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        154⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        155⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        155⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        156⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        156⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        157⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        157⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        158⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        158⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        159⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        159⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        160⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        160⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        161⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        161⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        162⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        162⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        163⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        163⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        164⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        164⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        165⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        165⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        166⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        166⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        167⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        167⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        168⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        168⤵
        
        PID:824
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        169⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        169⤵
        
        PID:300
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        170⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        170⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        171⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        171⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        172⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        172⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        173⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        173⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        174⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        174⤵
        
        PID:556
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        175⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        175⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        176⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        176⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        177⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        177⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        178⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        178⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        179⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        179⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        180⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        180⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        181⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        181⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        182⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        182⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        183⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        183⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        184⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        184⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        185⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        185⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        186⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        186⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        187⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        187⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        188⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        188⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        189⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        189⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        190⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        190⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        191⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        191⤵
        
        PID:908
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        192⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        192⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        193⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        193⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        194⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        194⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        195⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        195⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        196⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        196⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        197⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        197⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        198⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        198⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        199⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        199⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        200⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        200⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        201⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        201⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        202⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        202⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        203⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        203⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        204⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        204⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        205⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        205⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        206⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        206⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        207⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        207⤵
        
        PID:752
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        208⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        208⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        209⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        209⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        210⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        210⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        211⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        211⤵
        
        PID:572
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        212⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        212⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        213⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        213⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        214⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        214⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        215⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        215⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        216⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        216⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        217⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        217⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        218⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        218⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        219⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        219⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        220⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        220⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        221⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        221⤵
        
        PID:792
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        222⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        222⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        223⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        223⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        224⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        224⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        225⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        225⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        226⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        226⤵
        
        PID:680
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        227⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        227⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        228⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        228⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        229⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        229⤵
        
        PID:272
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        230⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        230⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        231⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        231⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        232⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        232⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        233⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        233⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        234⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        234⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        235⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        235⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        236⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        236⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        237⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        237⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        238⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        238⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        239⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        239⤵
        
        PID:848
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        240⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        240⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        241⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        241⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        242⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        242⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        243⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        243⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        244⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        244⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        245⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        245⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        246⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        246⤵
        
        PID:660
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        247⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        247⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        248⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        248⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        249⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        249⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        250⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        250⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        251⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        251⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        252⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        252⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        253⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        253⤵
        
        PID:664
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        254⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        254⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        255⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        255⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        256⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        256⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        257⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        257⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        258⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        258⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        259⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        259⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        260⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        260⤵
        
        PID:404
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        261⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        261⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        262⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        262⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        263⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        263⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        264⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        264⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        265⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        265⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        266⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        266⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        267⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        267⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        268⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        268⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        269⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        269⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        270⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        270⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        271⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        271⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        272⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        272⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        273⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        273⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        274⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        274⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        275⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        275⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        276⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        276⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        277⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        277⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        278⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        278⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        279⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        279⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        280⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        280⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        281⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        281⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        282⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        282⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        283⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        283⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        284⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        284⤵
        
        PID:956
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        285⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        285⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        286⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        286⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        287⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        287⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        288⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        288⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        289⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        289⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        290⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        290⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        291⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        291⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        292⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        292⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        293⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        293⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        294⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        294⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        295⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        295⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        296⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        296⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        297⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        297⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        298⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        298⤵
        
        PID:480
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        299⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        299⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        300⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        300⤵
        
        PID:752
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        301⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        301⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        302⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        302⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        303⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        303⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        304⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        304⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        305⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        305⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        306⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        306⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        307⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        307⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        308⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        308⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        309⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        309⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        310⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        310⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        311⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        311⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        312⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        312⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        313⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        313⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        314⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        314⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        315⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        315⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        316⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        316⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        317⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        317⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        318⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        318⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        319⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        319⤵
        
        PID:596
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        320⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        320⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        321⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        321⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        322⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        322⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        323⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        323⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        324⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        324⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        325⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        325⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        326⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        326⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        327⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        327⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        328⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        328⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        329⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        329⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        330⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        330⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        331⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        331⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        332⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        332⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        333⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        333⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        334⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        334⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        335⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        335⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        336⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        336⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        337⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        337⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        338⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        338⤵
        
        PID:676
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        339⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        339⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        340⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        340⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        341⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        341⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        342⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        342⤵
        
        PID:352
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        343⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        343⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        344⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        344⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        345⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        345⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        346⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        346⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        347⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        347⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        348⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        348⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        349⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        349⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        350⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        350⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        351⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        351⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        352⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        352⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        353⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        353⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        354⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        354⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        355⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        355⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        356⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        356⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        357⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        357⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        358⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        358⤵
        
        PID:832
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        359⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        359⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        360⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        360⤵
        
        PID:868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        361⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        361⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        362⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        362⤵
        
        PID:272
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        363⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        363⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        364⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        364⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        365⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        365⤵
        
        PID:988
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        366⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        366⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        367⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        367⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        368⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        368⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        369⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        369⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        370⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        370⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        371⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        371⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        372⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        372⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        373⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        373⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        374⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        374⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        375⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        375⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        376⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        376⤵
        
        PID:640
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        377⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        377⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        378⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        378⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        379⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        379⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        380⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        380⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        381⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        381⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        382⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        382⤵
        
        PID:880
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        383⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        383⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        384⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        384⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        385⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        385⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        386⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        386⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        387⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        387⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        388⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        388⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        389⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        389⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        390⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        390⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        391⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        391⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        392⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        392⤵
        
        PID:292
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        393⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        393⤵
        
        PID:480
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        394⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        394⤵
        
        PID:676
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        395⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        395⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        396⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        396⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        397⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        397⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        398⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        398⤵
        
        PID:868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        399⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        399⤵
        
        PID:908
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        400⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        400⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        401⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        401⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        402⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        402⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        403⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        403⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        404⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        404⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        405⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        405⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        406⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        406⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        407⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        407⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        408⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        408⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        409⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        409⤵
        
        PID:344
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        410⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        410⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        411⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        411⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        412⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        412⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        413⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        413⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        414⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        414⤵
        
        PID:660
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        415⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        415⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        416⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        416⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        417⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        417⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        418⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        418⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        419⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        419⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        420⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        420⤵
        
        PID:908
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        421⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        421⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        422⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        422⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        423⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        423⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        424⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        424⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        425⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        425⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        426⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        426⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        427⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        427⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        428⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        428⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        429⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        429⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        430⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        430⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        431⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        431⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        432⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        432⤵
        
        PID:292
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        433⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        433⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        434⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        434⤵
        
        PID:832
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        435⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        435⤵
        
        PID:600
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        436⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        436⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        437⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        437⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        438⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        438⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        439⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        439⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        440⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        440⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        441⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        441⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        442⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        442⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        443⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        443⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        444⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        444⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        445⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        445⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        446⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        446⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        447⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        447⤵
        
        PID:860
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        448⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        448⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        449⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        449⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        450⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        450⤵
        
        PID:752
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        451⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        451⤵
        
        PID:896
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        452⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        452⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        453⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        453⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        454⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        454⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        455⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        455⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        456⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        456⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        457⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        457⤵
        
        PID:872
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        458⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        458⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        459⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        459⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        460⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        460⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        461⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        461⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        462⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        462⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        463⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        463⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        464⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        464⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        465⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        465⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        466⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        466⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        467⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        467⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        468⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        468⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        469⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        469⤵
        
        PID:268
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        470⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        470⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        471⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        471⤵
        
        PID:772
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        472⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        472⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        473⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        473⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        474⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        474⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        475⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        475⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        476⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        476⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        477⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        477⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        478⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        478⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        479⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        479⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        480⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        480⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        481⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        481⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        482⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        482⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        483⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        483⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        484⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        484⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        485⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        485⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        486⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        486⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        487⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        487⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        488⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        488⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        489⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        489⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        490⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        490⤵
        
        PID:352
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        491⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        491⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        492⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        492⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        493⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        493⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        494⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        494⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        495⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        495⤵
        
        PID:988
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        496⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        496⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        497⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        497⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        498⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        498⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        499⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        499⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        500⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        500⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        501⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        501⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        502⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        502⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        503⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        503⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        504⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        504⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        505⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        505⤵
        
        PID:292
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        506⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        506⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        507⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        507⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        508⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        508⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        509⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        509⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        510⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        510⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        511⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        511⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        512⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        512⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\28463\EGAF.exe
        
        "C:\Windows\system32\28463\EGAF.exe"
        513⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        513⤵
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@B59A.tmp

Filesize
1.4MB

MD5
c2cf699342d25626a0a1e25087481529

SHA1
e919f391a2e4a0b1b698c9cbba2ad0dc08a888b2

SHA256
78c31d14a4c3388be8b783c70cc86c27f6c03db32c067fa522afa681ca7509df

SHA512
572a917a8853eddee37850c411996fe56d687ec6bb629f2e240cd8b940705c2cd2d8c0d36e863c939d072eb5f79a248da61ca7845ac191ad3f65b9baa55fabfd

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
1330b13b62c4a93f01258c92865d7b66

SHA1
80af708c5f6aa42a44b59c22747ec22672521a15

SHA256
dbd2839b7ad5fb3a9e82ebd9c20bac14f36e206681133de6243eac3e54ff6009

SHA512
9fdedc00fe2e2c9abdfe144de3e3bc12701e4e90d08d1df8f754535fecb4b7cec85dec60acfcbae57d11971cb0c669d81f5f879be71d241d4dcd1abd6cf062b7

Download Submit
C:\Windows\SysWOW64\28463\EGAF.001

Filesize
458B

MD5
c11be7c58ec64d477dcd01ef084921a6

SHA1
c27c908f21d7809ef92b3d3600e62e615485a240

SHA256
5f14c776c8ffca84bf5fb68ecf2aa14fbb377f8f568ef8874cf5884fa071edb9

SHA512
44db62af0b580c44c9eb368a77e019b6df4db0329fc66ef8234b5ea92e05798c8ca4605414e4326559ea9fa972df163b77421e4f60b509499655a3c1af6729bc

Download Submit
C:\Windows\SysWOW64\28463\EGAF.006

Filesize
8KB

MD5
e276f0755a4cfd771e79f890f080872f

SHA1
a96ea810928536f332998dd034555afc47b0c71a

SHA256
8df0e42c01742facc785ae056a63f9820bf4ac6ac7693a92ac62042afe5435c0

SHA512
f47ed8a0db02ebfd460fcbd6330cf79c001d40606a9c12b0d084bc693e30f0623e2632682ff6bd32a21cf3534ad8fd8433337e149a8ed4d18cec49f88a4992e0

Download Submit
C:\Windows\SysWOW64\28463\EGAF.007

Filesize
5KB

MD5
30c025b8c40053769b6c4dd558c2e3bc

SHA1
4e73208134bce15b77ceb700fbd9ba4eb6185d71

SHA256
2c57f4374b09cb372b26d02c4785d72ba56d66c2bd18900342b826151f60b478

SHA512
9348b2ac6c6cb673b47d7cbe4476d158a145557e723dc1c4dd4fe2c1d3ae22bd3ff1905bb3d65bed9a1bcd2f66a8367ad50a82ea991840f5ab70cf4e6345bff9

Download Submit
C:\Windows\SysWOW64\28463\EGAF.exe

Filesize
648KB

MD5
fdf98229979369e5c97fb6eccf7a8ac7

SHA1
b900b25fed4568a9e6204e68b9df40453f2db73e

SHA256
221380cdd7f83df5188b5625add30e87a9b77daac8c809c1a2b6765ebbecce7d

SHA512
d63773245376803583ba52dc16e561dee77d21bc73b19e07a2f75955c6d25335438c2b62464768630e2d720519a6ba0927bfacbda4024d2d766d2e5d356f2be2

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@B339.tmp

Filesize
4KB

MD5
072f1a688c3acab7ad7285438fb82327

SHA1
42ecb0a53ad7024d5125cba7472eb535acbde633

SHA256
fca0e37bdd76d3de33188eb2fd23e416ef497b06b8c3ff0f4b5a59c8c8542ad6

SHA512
e49e737dda9772a73761b6d1bfea9ea939389612b4e912f70470a0f12e5df7fb4db841e67756bd64d82c1584ecd4188037c1a00c28081b0c3ccca7707d480840

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
1.0MB

MD5
4fed3398b8ededb3efda4c575d16f89b

SHA1
6a7acd1652198cb91a979800b87a1d137c7ce756

SHA256
73dab47fad709b5b570dd355c9a99fb03af7fe2e9305cd0abbc7c4e802520378

SHA512
a4fad26294f95affb7153b6854a0e056dca34728d3566f4b51c2713b334fd0372e4aa6ad1d89a2a5062d3ee2ef973256c1ce341114e5c1d1ce2a42c4e9a65955

Download Submit
memory/304-118-0x00000000027D0000-0x00000000028AF000-memory.dmp

Filesize
892KB

Download
memory/328-448-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/328-446-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/532-547-0x00000000027F0000-0x00000000028CF000-memory.dmp

Filesize
892KB

Download
memory/572-815-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/600-799-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/600-396-0x0000000002800000-0x00000000028DF000-memory.dmp

Filesize
892KB

Download
memory/660-384-0x00000000027F0000-0x00000000028CF000-memory.dmp

Filesize
892KB

Download
memory/752-408-0x0000000002790000-0x000000000286F000-memory.dmp

Filesize
892KB

Download
memory/880-830-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/884-572-0x00000000027A0000-0x000000000287F000-memory.dmp

Filesize
892KB

Download
memory/940-381-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/940-373-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1140-429-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1140-397-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1240-235-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1240-225-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1260-156-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1260-158-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1292-191-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1292-198-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1344-331-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1344-324-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1424-442-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1432-536-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1432-544-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1440-569-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1444-522-0x00000000027F0000-0x00000000028CF000-memory.dmp

Filesize
892KB

Download
memory/1448-334-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1448-343-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1520-250-0x00000000027F0000-0x00000000028CF000-memory.dmp

Filesize
892KB

Download
memory/1564-95-0x0000000002790000-0x000000000286F000-memory.dmp

Filesize
892KB

Download
memory/1612-835-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1636-445-0x0000000002790000-0x000000000286F000-memory.dmp

Filesize
892KB

Download
memory/1680-222-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1680-213-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1688-187-0x00000000027D0000-0x00000000028AF000-memory.dmp

Filesize
892KB

Download
memory/1712-435-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1712-456-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1828-210-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1828-201-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1836-253-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1836-273-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1844-155-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1844-29-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1852-27-0x00000000028E0000-0x00000000029BF000-memory.dmp

Filesize
892KB

Download
memory/1932-385-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1932-393-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1988-511-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1988-533-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1996-370-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1996-346-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2012-362-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2012-358-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2064-409-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2064-410-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2108-863-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2124-483-0x0000000002800000-0x00000000028DF000-memory.dmp

Filesize
892KB

Download
memory/2128-228-0x00000000027A0000-0x00000000027A6000-memory.dmp

Filesize
24KB

Download
memory/2220-563-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2220-559-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2276-165-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2276-163-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2300-265-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2300-262-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2316-558-0x00000000027E0000-0x00000000028BF000-memory.dmp

Filesize
892KB

Download
memory/2348-185-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2348-177-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2356-854-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2368-11-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2388-238-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2388-247-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2428-420-0x00000000027C0000-0x000000000289F000-memory.dmp

Filesize
892KB

Download
memory/2476-434-0x00000000027E0000-0x00000000028BF000-memory.dmp

Filesize
892KB

Download
memory/2476-496-0x00000000027E0000-0x00000000028BF000-memory.dmp

Filesize
892KB

Download
memory/2520-287-0x00000000027D0000-0x00000000028AF000-memory.dmp

Filesize
892KB

Download
memory/2532-470-0x00000000027F0000-0x00000000028CF000-memory.dmp

Filesize
892KB

Download
memory/2596-484-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2596-493-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2636-471-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2636-475-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2640-176-0x0000000002790000-0x000000000286F000-memory.dmp

Filesize
892KB

Download
memory/2676-296-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2708-480-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2708-459-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2772-510-0x0000000002790000-0x000000000286F000-memory.dmp

Filesize
892KB

Download
memory/2772-98-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2772-115-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2776-123-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2776-128-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2780-266-0x00000000027A0000-0x00000000027A6000-memory.dmp

Filesize
24KB

Download
memory/2800-73-0x0000000002790000-0x000000000286F000-memory.dmp

Filesize
892KB

Download
memory/2800-173-0x0000000002790000-0x000000000286F000-memory.dmp

Filesize
892KB

Download
memory/2808-497-0x0000000002830000-0x000000000290F000-memory.dmp

Filesize
892KB

Download
memory/2808-294-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2808-276-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2816-150-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2816-53-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2864-86-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2864-172-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2944-319-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2968-498-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2968-507-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2996-301-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2996-308-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3016-363-0x00000000027A0000-0x00000000027A6000-memory.dmp

Filesize
24KB

Download
memory/3016-357-0x00000000027A0000-0x000000000287F000-memory.dmp

Filesize
892KB

Download
memory/3056-526-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3056-523-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads