ramnit | 59de5f450e1d360d082497bad068ec8e59e8b2891487c6243b4828c85bd798c6

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe
Size

114KB
MD5

863e8308667bbb8d7bad223f4b612e7c
SHA1

7f7870310916214f7736d5b73dc61dc10f2f9cfd
SHA256

59de5f450e1d360d082497bad068ec8e59e8b2891487c6243b4828c85bd798c6
SHA512

f6147a881b061ea27704ce13597e8980e59988501c373710f7e4a823dfabd0dc6db6567b2bc1fabcf37bdf62f89e87211fa2da4b477d52d982873f54b5ed424d
SSDEEP

3072:UhiPLaCWnzRm/vjYZihCCrQKfaAQDWkGcz:M6LaVn9m3jYZVCrAHW5cz

Score

10^/10

ramnit banker defense_evasion discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\bnbmabel\\jtsykbnc.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jtsykbnc.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jtsykbnc.exe	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
1836	byqtmdpi.exe
1280	byqtmdpi.exe
316	byqtmdpi.exe
1184	byqtmdpi.exe
2380	byqtmdpi.exe
1076	byqtmdpi.exe
3008	byqtmdpi.exe
2372	byqtmdpi.exe
2336	byqtmdpi.exe
1596	byqtmdpi.exe
1264	byqtmdpi.exe
1416	byqtmdpi.exe
2884	byqtmdpi.exe
496	byqtmdpi.exe
944	byqtmdpi.exe
2244	byqtmdpi.exe
1832	byqtmdpi.exe
3068	byqtmdpi.exe
1316	byqtmdpi.exe
2072	byqtmdpi.exe
1372	byqtmdpi.exe
1868	byqtmdpi.exe
1704	byqtmdpi.exe
1636	byqtmdpi.exe
2960	byqtmdpi.exe
2148	byqtmdpi.exe
2744	byqtmdpi.exe
556	byqtmdpi.exe
2968	byqtmdpi.exe
1060	byqtmdpi.exe
604	byqtmdpi.exe
1888	byqtmdpi.exe
2380	byqtmdpi.exe
3040	byqtmdpi.exe
2388	byqtmdpi.exe
2384	byqtmdpi.exe
1448	byqtmdpi.exe
2612	byqtmdpi.exe
2720	byqtmdpi.exe
1064	byqtmdpi.exe
2420	byqtmdpi.exe
1168	byqtmdpi.exe
2128	byqtmdpi.exe
1092	byqtmdpi.exe
1756	byqtmdpi.exe
2564	byqtmdpi.exe
1292	byqtmdpi.exe
1040	byqtmdpi.exe
348	byqtmdpi.exe
2600	byqtmdpi.exe
1464	byqtmdpi.exe
2264	byqtmdpi.exe
2780	byqtmdpi.exe
2760	byqtmdpi.exe
2952	byqtmdpi.exe
2956	byqtmdpi.exe
2676	byqtmdpi.exe
2332	byqtmdpi.exe
2888	byqtmdpi.exe
592	byqtmdpi.exe
2868	byqtmdpi.exe
264	byqtmdpi.exe
576	byqtmdpi.exe
2976	byqtmdpi.exe

Loads dropped DLL 64 IoCs

pid	Process
804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe
804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe
1836	byqtmdpi.exe
1280	byqtmdpi.exe
316	byqtmdpi.exe
1184	byqtmdpi.exe
2380	byqtmdpi.exe
1076	byqtmdpi.exe
3008	byqtmdpi.exe
2372	byqtmdpi.exe
2336	byqtmdpi.exe
1596	byqtmdpi.exe
1264	byqtmdpi.exe
1416	byqtmdpi.exe
2884	byqtmdpi.exe
496	byqtmdpi.exe
944	byqtmdpi.exe
2244	byqtmdpi.exe
1832	byqtmdpi.exe
3068	byqtmdpi.exe
1316	byqtmdpi.exe
2072	byqtmdpi.exe
1372	byqtmdpi.exe
1868	byqtmdpi.exe
1704	byqtmdpi.exe
1636	byqtmdpi.exe
2960	byqtmdpi.exe
2148	byqtmdpi.exe
2744	byqtmdpi.exe
556	byqtmdpi.exe
2968	byqtmdpi.exe
1060	byqtmdpi.exe
604	byqtmdpi.exe
1888	byqtmdpi.exe
2380	byqtmdpi.exe
3040	byqtmdpi.exe
2388	byqtmdpi.exe
2384	byqtmdpi.exe
1448	byqtmdpi.exe
2612	byqtmdpi.exe
2720	byqtmdpi.exe
1064	byqtmdpi.exe
2420	byqtmdpi.exe
1168	byqtmdpi.exe
2128	byqtmdpi.exe
1092	byqtmdpi.exe
1756	byqtmdpi.exe
2564	byqtmdpi.exe
1292	byqtmdpi.exe
1040	byqtmdpi.exe
348	byqtmdpi.exe
2600	byqtmdpi.exe
1464	byqtmdpi.exe
2264	byqtmdpi.exe
2780	byqtmdpi.exe
2760	byqtmdpi.exe
2952	byqtmdpi.exe
2956	byqtmdpi.exe
2676	byqtmdpi.exe
2332	byqtmdpi.exe
2888	byqtmdpi.exe
592	byqtmdpi.exe
2868	byqtmdpi.exe
264	byqtmdpi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JtsYkbnc = "C:\\Users\\Admin\\AppData\\Local\\bnbmabel\\jtsykbnc.exe"	svchost.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 1836 set thread context of 1280	1836	byqtmdpi.exe	34
PID 316 set thread context of 1184	316	byqtmdpi.exe	36
PID 2380 set thread context of 1076	2380	byqtmdpi.exe	38
PID 3008 set thread context of 2372	3008	byqtmdpi.exe	40
PID 2336 set thread context of 1596	2336	byqtmdpi.exe	42
PID 1264 set thread context of 1416	1264	byqtmdpi.exe	44
PID 2884 set thread context of 496	2884	byqtmdpi.exe	46
PID 944 set thread context of 2244	944	byqtmdpi.exe	48
PID 1832 set thread context of 3068	1832	byqtmdpi.exe	50
PID 1316 set thread context of 2072	1316	byqtmdpi.exe	52
PID 1372 set thread context of 1868	1372	byqtmdpi.exe	54
PID 1704 set thread context of 1636	1704	byqtmdpi.exe	56
PID 2960 set thread context of 2148	2960	byqtmdpi.exe	58
PID 2744 set thread context of 556	2744	byqtmdpi.exe	60
PID 2968 set thread context of 1060	2968	byqtmdpi.exe	62
PID 604 set thread context of 1888	604	byqtmdpi.exe	64
PID 2380 set thread context of 3040	2380	byqtmdpi.exe	66
PID 2388 set thread context of 2384	2388	byqtmdpi.exe	68
PID 1448 set thread context of 2612	1448	byqtmdpi.exe	70
PID 2720 set thread context of 1064	2720	byqtmdpi.exe	72
PID 2420 set thread context of 1168	2420	byqtmdpi.exe	74
PID 2128 set thread context of 1092	2128	byqtmdpi.exe	76
PID 1756 set thread context of 2564	1756	byqtmdpi.exe	79
PID 1292 set thread context of 1040	1292	byqtmdpi.exe	81
PID 348 set thread context of 2600	348	byqtmdpi.exe	83
PID 1464 set thread context of 2264	1464	byqtmdpi.exe	85
PID 2780 set thread context of 2760	2780	byqtmdpi.exe	87
PID 2952 set thread context of 2956	2952	byqtmdpi.exe	89
PID 2676 set thread context of 2332	2676	byqtmdpi.exe	91
PID 2888 set thread context of 592	2888	byqtmdpi.exe	93
PID 2868 set thread context of 264	2868	byqtmdpi.exe	95
PID 576 set thread context of 2976	576	byqtmdpi.exe	97
PID 1700 set thread context of 1980	1700	byqtmdpi.exe	99
PID 2388 set thread context of 2124	2388	byqtmdpi.exe	101
PID 1632 set thread context of 840	1632	byqtmdpi.exe	103
PID 1680 set thread context of 1388	1680	byqtmdpi.exe	105
PID 960 set thread context of 2884	960	byqtmdpi.exe	107
PID 1572 set thread context of 1724	1572	byqtmdpi.exe	109
PID 1860 set thread context of 2076	1860	byqtmdpi.exe	111
PID 1292 set thread context of 1872	1292	byqtmdpi.exe	113
PID 2548 set thread context of 2412	2548	byqtmdpi.exe	115
PID 1464 set thread context of 2596	1464	byqtmdpi.exe	117
PID 2908 set thread context of 2216	2908	byqtmdpi.exe	119
PID 2704 set thread context of 1912	2704	byqtmdpi.exe	121
PID 2352 set thread context of 852	2352	byqtmdpi.exe	123
PID 560 set thread context of 2968	560	byqtmdpi.exe	125
PID 1732 set thread context of 2848	1732	byqtmdpi.exe	127
PID 1148 set thread context of 1776	1148	byqtmdpi.exe	129
PID 2992 set thread context of 2020	2992	byqtmdpi.exe	131
PID 2248 set thread context of 2432	2248	byqtmdpi.exe	133
PID 2140 set thread context of 2720	2140	byqtmdpi.exe	135
PID 1144 set thread context of 704	1144	byqtmdpi.exe	137
PID 1008 set thread context of 1376	1008	byqtmdpi.exe	139
PID 1768 set thread context of 2228	1768	byqtmdpi.exe	141
PID 2260 set thread context of 900	2260	byqtmdpi.exe	143
PID 2608 set thread context of 2092	2608	byqtmdpi.exe	145
PID 2936 set thread context of 2932	2936	byqtmdpi.exe	147
PID 2912 set thread context of 2908	2912	byqtmdpi.exe	149
PID 2768 set thread context of 2704	2768	byqtmdpi.exe	151
PID 2744 set thread context of 2500	2744	byqtmdpi.exe	153
PID 1176 set thread context of 2620	1176	byqtmdpi.exe	155
PID 2876 set thread context of 1520	2876	byqtmdpi.exe	157
PID 1284 set thread context of 3020	1284	byqtmdpi.exe	159

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/804-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/804-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/804-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/804-9-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/804-3-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/804-2-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/804-63-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/804-85-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1280-106-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1184-119-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1184-124-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1076-141-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2372-158-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1596-175-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1416-192-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/496-209-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2244-222-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2244-227-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3068-244-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2072-261-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1868-278-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1636-290-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2148-312-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1060-345-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1888-356-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1888-359-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2384-382-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2384-385-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2612-398-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1168-421-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1040-460-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2600-469-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2956-510-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2332-523-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2976-560-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1980-573-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/840-598-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1388-611-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2076-648-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/852-721-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2968-734-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2848-745-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1776-760-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2020-773-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1264-978-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3004-1120-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2684-1242-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2516-1375-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2408-1614-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2580-2989-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2580-3487-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2480-3506-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2316-3601-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2160-3638-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2144-3651-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1292-3736-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1344-3797-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qtmapair.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byqtmdpi.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5673931-071E-11F0-9F30-7694D31B45CA} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe
Token: SeDebugPrivilege	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe
Token: SeSecurityPrivilege	2512	svchost.exe
Token: SeSecurityPrivilege	2328	svchost.exe
Token: SeDebugPrivilege	2328	svchost.exe
Token: SeSecurityPrivilege	1280	byqtmdpi.exe
Token: SeDebugPrivilege	1280	byqtmdpi.exe
Token: SeSecurityPrivilege	1184	byqtmdpi.exe
Token: SeDebugPrivilege	1184	byqtmdpi.exe
Token: SeSecurityPrivilege	1076	byqtmdpi.exe
Token: SeDebugPrivilege	1076	byqtmdpi.exe
Token: SeSecurityPrivilege	2372	byqtmdpi.exe
Token: SeDebugPrivilege	2372	byqtmdpi.exe
Token: SeSecurityPrivilege	1596	byqtmdpi.exe
Token: SeDebugPrivilege	1596	byqtmdpi.exe
Token: SeSecurityPrivilege	1416	byqtmdpi.exe
Token: SeDebugPrivilege	1416	byqtmdpi.exe
Token: SeSecurityPrivilege	496	byqtmdpi.exe
Token: SeDebugPrivilege	496	byqtmdpi.exe
Token: SeSecurityPrivilege	2244	byqtmdpi.exe
Token: SeDebugPrivilege	2244	byqtmdpi.exe
Token: SeSecurityPrivilege	3068	byqtmdpi.exe
Token: SeDebugPrivilege	3068	byqtmdpi.exe
Token: SeSecurityPrivilege	2072	byqtmdpi.exe
Token: SeDebugPrivilege	2072	byqtmdpi.exe
Token: SeSecurityPrivilege	1868	byqtmdpi.exe
Token: SeDebugPrivilege	1868	byqtmdpi.exe
Token: SeSecurityPrivilege	1636	byqtmdpi.exe
Token: SeDebugPrivilege	1636	byqtmdpi.exe
Token: SeSecurityPrivilege	2148	byqtmdpi.exe
Token: SeDebugPrivilege	2148	byqtmdpi.exe
Token: SeSecurityPrivilege	556	byqtmdpi.exe
Token: SeDebugPrivilege	556	byqtmdpi.exe
Token: SeSecurityPrivilege	1060	byqtmdpi.exe
Token: SeDebugPrivilege	1060	byqtmdpi.exe
Token: SeSecurityPrivilege	1888	byqtmdpi.exe
Token: SeDebugPrivilege	1888	byqtmdpi.exe
Token: SeSecurityPrivilege	3040	byqtmdpi.exe
Token: SeDebugPrivilege	3040	byqtmdpi.exe
Token: SeSecurityPrivilege	2384	byqtmdpi.exe
Token: SeDebugPrivilege	2384	byqtmdpi.exe
Token: SeSecurityPrivilege	2612	byqtmdpi.exe
Token: SeDebugPrivilege	2612	byqtmdpi.exe
Token: SeSecurityPrivilege	1064	byqtmdpi.exe
Token: SeDebugPrivilege	1064	byqtmdpi.exe
Token: SeSecurityPrivilege	1168	byqtmdpi.exe
Token: SeDebugPrivilege	1168	byqtmdpi.exe
Token: SeSecurityPrivilege	1092	byqtmdpi.exe
Token: SeDebugPrivilege	1092	byqtmdpi.exe
Token: SeSecurityPrivilege	2564	byqtmdpi.exe
Token: SeDebugPrivilege	2564	byqtmdpi.exe
Token: SeSecurityPrivilege	1040	byqtmdpi.exe
Token: SeDebugPrivilege	1040	byqtmdpi.exe
Token: SeSecurityPrivilege	2600	byqtmdpi.exe
Token: SeDebugPrivilege	2600	byqtmdpi.exe
Token: SeSecurityPrivilege	2264	byqtmdpi.exe
Token: SeDebugPrivilege	2264	byqtmdpi.exe
Token: SeSecurityPrivilege	2760	byqtmdpi.exe
Token: SeDebugPrivilege	2760	byqtmdpi.exe
Token: SeSecurityPrivilege	2956	byqtmdpi.exe
Token: SeDebugPrivilege	2956	byqtmdpi.exe
Token: SeSecurityPrivilege	2332	byqtmdpi.exe
Token: SeDebugPrivilege	2332	byqtmdpi.exe
Token: SeSecurityPrivilege	592	byqtmdpi.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE
3032	IEXPLORE.EXE
3032	IEXPLORE.EXE
3032	IEXPLORE.EXE
3032	IEXPLORE.EXE
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 2548 wrote to memory of 804	2548	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	30
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2512	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	31
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 2328	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	32
PID 804 wrote to memory of 1836	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	33
PID 804 wrote to memory of 1836	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	33
PID 804 wrote to memory of 1836	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	33
PID 804 wrote to memory of 1836	804	JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe	33
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1836 wrote to memory of 1280	1836	byqtmdpi.exe	34
PID 1280 wrote to memory of 316	1280	byqtmdpi.exe	35
PID 1280 wrote to memory of 316	1280	byqtmdpi.exe	35
PID 1280 wrote to memory of 316	1280	byqtmdpi.exe	35
PID 1280 wrote to memory of 316	1280	byqtmdpi.exe	35
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 316 wrote to memory of 1184	316	byqtmdpi.exe	36
PID 1184 wrote to memory of 2380	1184	byqtmdpi.exe	37
PID 1184 wrote to memory of 2380	1184	byqtmdpi.exe	37
PID 1184 wrote to memory of 2380	1184	byqtmdpi.exe	37
PID 1184 wrote to memory of 2380	1184	byqtmdpi.exe	37
PID 2380 wrote to memory of 1076	2380	byqtmdpi.exe	38
PID 2380 wrote to memory of 1076	2380	byqtmdpi.exe	38
PID 2380 wrote to memory of 1076	2380	byqtmdpi.exe	38
PID 2380 wrote to memory of 1076	2380	byqtmdpi.exe	38
PID 2380 wrote to memory of 1076	2380	byqtmdpi.exe	38
PID 2380 wrote to memory of 1076	2380	byqtmdpi.exe	38

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_863e8308667bbb8d7bad223f4b612e7c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
    "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
      "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        61⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        63⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        66⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        68⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        69⤵
        Suspicious use of SetThreadContext
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        70⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        71⤵
        Suspicious use of SetThreadContext
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        72⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        73⤵
        Suspicious use of SetThreadContext
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        74⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        75⤵
        Suspicious use of SetThreadContext
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        76⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        78⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        80⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        81⤵
        Suspicious use of SetThreadContext
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        82⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        84⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        85⤵
        Suspicious use of SetThreadContext
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        86⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        87⤵
        Suspicious use of SetThreadContext
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        88⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        90⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        92⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        94⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        95⤵
        Suspicious use of SetThreadContext
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        96⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        97⤵
        Suspicious use of SetThreadContext
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        98⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        99⤵
        Suspicious use of SetThreadContext
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        100⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        102⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        103⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        104⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        106⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        108⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        110⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        111⤵
        Suspicious use of SetThreadContext
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        112⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        114⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        116⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        117⤵
        Suspicious use of SetThreadContext
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        119⤵
        Suspicious use of SetThreadContext
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        120⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        122⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        123⤵
        Suspicious use of SetThreadContext
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        124⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        125⤵
        Suspicious use of SetThreadContext
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        127⤵
        Suspicious use of SetThreadContext
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        128⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        129⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        130⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        131⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        132⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        133⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        134⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        135⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        136⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        137⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        138⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        139⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        140⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        141⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        142⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        144⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        145⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        146⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        147⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        148⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        149⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        150⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        151⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        152⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        153⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        154⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        155⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        156⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        157⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        158⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        159⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        160⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        161⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        162⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        163⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        166⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        167⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        168⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        169⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        171⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        172⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        173⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        174⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        175⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        176⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        177⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        178⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        179⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        180⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        181⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        182⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        183⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        184⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        185⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        186⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        187⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        188⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        189⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        191⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        192⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        194⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        195⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        196⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        197⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        198⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        199⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        200⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        201⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        202⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        204⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        205⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        206⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        207⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        208⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        209⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        210⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        211⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        212⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        213⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        214⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        216⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        217⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        218⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        219⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        220⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        221⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        223⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        224⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        225⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        226⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        228⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        229⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        231⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        232⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        233⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        234⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        235⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        237⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        238⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        239⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        240⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        241⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        242⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        243⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        244⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        245⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        246⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        247⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        248⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        249⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        250⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        251⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        252⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        253⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        254⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        255⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        256⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        257⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        258⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        260⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        261⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        262⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        263⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        264⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        265⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        266⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        267⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        268⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        269⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        270⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        271⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        272⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        273⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        275⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        277⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        278⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        279⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        280⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        281⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        282⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        283⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        284⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        285⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        286⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        287⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        288⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        289⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        290⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        291⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        292⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        293⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        295⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        296⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        297⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        298⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        299⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        300⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        301⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        302⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        303⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        304⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        305⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        306⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        307⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        308⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        309⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        310⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        311⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        312⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        313⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        314⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        315⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        316⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        318⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        319⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        320⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        321⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        322⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        323⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        324⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        326⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        327⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        328⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        329⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        330⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        331⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        332⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        333⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        334⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        335⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        336⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        337⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        338⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        339⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        340⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        341⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        342⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        344⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        345⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        346⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        347⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        348⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        349⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        351⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        352⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        353⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        354⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        355⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        356⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        357⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        358⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        359⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        360⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        361⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        362⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        363⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        364⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        365⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        366⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        367⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        368⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        369⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        370⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        371⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        372⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        373⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        374⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        375⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        376⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        377⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        378⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        379⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        380⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        381⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        382⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        383⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        384⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        385⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        386⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        387⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        388⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        389⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        390⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        391⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        392⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        393⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        394⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        395⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        396⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        397⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        398⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        399⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        400⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        401⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        402⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        403⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        404⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        405⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        406⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        407⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        408⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        409⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        410⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        411⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        412⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        413⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        414⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        415⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        416⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        417⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        418⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        419⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        420⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        422⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        423⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        424⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        425⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        426⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        427⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        428⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        429⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        430⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        431⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        432⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        433⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        434⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        435⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        436⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        437⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        438⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        439⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        440⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        441⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        442⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        443⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        444⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        445⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        446⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        447⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        448⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        449⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        450⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        451⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        452⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        453⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        454⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        455⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        456⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        457⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        458⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        459⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        460⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        461⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        462⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        463⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        464⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        465⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        466⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        467⤵
        
        PID:328
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        467⤵
        
        PID:2636
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        468⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
        469⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:4142090 /prefetch:2
        469⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        467⤵
        
        PID:1148
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        467⤵
        
        PID:2316
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        468⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\qtmapair.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qtmapair.exe" elevate
        467⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\qtmapair.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qtmapair.exe"
        468⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        469⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        470⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        471⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        472⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        473⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        474⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        475⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        476⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        477⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        478⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        479⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        480⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        481⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        482⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        483⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        484⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        485⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        486⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        487⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        488⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        489⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        490⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        491⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        492⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        493⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        494⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        495⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        496⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        497⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        498⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        499⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        500⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        501⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        502⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        503⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        504⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        505⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        506⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        507⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        508⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        509⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        510⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        511⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        512⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        513⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        514⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        515⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        516⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        517⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        518⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        519⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        520⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        521⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe"
        522⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\byqtmdpi.exe" elevate
        523⤵
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e496187703644b21608a93c24233bf33

SHA1
d2fe7563fae16c49641563ea3b9311435a634f2b

SHA256
14f98cc30f6d7a05ead81a887f4bfb4fd12ad5d8aa266ebb06196ecaa5dde7db

SHA512
15b05c8c057b7d73388c08c2b70b20c899a52d75734a63f482bee38acc0e29a0682ca838171d3b7aedf92f0b9471a391a8afd812ba3d8c5ad5e1678857c97d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1faa865628ed00913520ba0ebcefd06c

SHA1
a6d8f0246c8bcc322c83fc8a032d781aec284d52

SHA256
3aec17cd97c54fbc72fd5018ff7b092784433f73953b4b6c8ce459e94d7e2713

SHA512
5ba06a41ec3d8f7bb1dc9af79d2e158db4e840844d4515c0220dffe9b842152a7fd17b423ab4376c12af1c92de1ee732b6d99d44b138f59a95973936f3de57fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87a9bde6816fc2728773fcfa0e338f90

SHA1
61165985e8dc7d4bebb102446186c684a442e7f2

SHA256
2cfc4c6de797ad1d75e3791e5353dcf7a848b07ffeb2cef2d7fed5fd0d05799d

SHA512
c042b057579a57ae4bdb3de8d1dbcc6b64dca9c9dd3a98ade8edabee7f575273ebe9b856a0fbc33b40258f1905bf66e6e1fb960250490694b20bbfeb099f1a8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e44338d9bef8ef5127725c5ad79c13e3

SHA1
e51a51c9f0333e1705855ae331c88418c7cb05b9

SHA256
d9f3810c69b25e86b58fc6ae0e98383d20d3d3298f703fe83c55fc8589e768f5

SHA512
f11669201160aa90cee774db0ec64b3e2119d5d75a76a60c9f028a401805645e956673935837a877d444891194d0860fb38d38c781bda86ec28c3452b34794ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42f335b6b1cccb9a743e0bad9b846054

SHA1
18bfa0fb5236929ffacf7d0eabc7f04eb98a08ec

SHA256
4ba4cd45ceafdae17e3e996e82cbc53a20abe16c1abe691f6d7277b1cdc7751c

SHA512
b9b760999bb2b81b3b38a34282396a38911eb2cca271a7b561c104b870ed83963762502736b6e550a21438a5771507cb465e22376b81feaa0f88e71baad63fac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3a3ee53392bb3b1f6fd31b7e2ac3e34

SHA1
0eb6e538a633d1b63790e95f699d56f9ba0f7993

SHA256
1b9fae893bcca905aa01af35345e20d8cadab10d9b19cf71329d72aeccfbb288

SHA512
e02c93b3fd35a8327e0ef1a8792713c1d4f530ba0a2ba048691a1e63d5a08ae65c7d3b64a1dfe86e5d0410d7c45c37adc9b167c060d33f99391939abb501cd87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff5371dee777c6518d54a9ea57baa1c6

SHA1
84a5a21a74d19a6cd43c4e4b26927ab2595e58e3

SHA256
ad91d1481c517f6d9482625d239aee8870858ffb51956895c6c17cdb646b4f75

SHA512
6404caa7591ad55ab4a7ca75e9a12c6ed41a081f3361d44562ca1d5e84a589634e931bb416b48a8a14f8d8a62c267eaf31caf7f364171ba848b030cf3bc1c45b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2093d62a82f1a9c793ecccdbb9f231a6

SHA1
080df959dad2ea04ce2d67e08ffb88ca24e154d6

SHA256
e5bcdb08b173c24f5cdfe58b6025d4df55480548597b92273bb9cd7bc3551713

SHA512
a616017d236750162328cd7ab8cd447db45bf00270cbe36941ce10aef85a51f29565a014b513317d889045dc77c291963ea0c8dbb6498a790a5272d6b6d52690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d475bec5acc7418d08d11fce361aafd6

SHA1
5ae0bfc29ca585f2310dc791c581bd0ced85e3b6

SHA256
92091a44eb8a5f10943e72d66c42a82abc0c6908aea4fc4e38a948db00efae4e

SHA512
24b72417132565b357fc076eddd6913d1679ec7c8f4937163d171fd3865c7f0540adc2f6e17f2c5d592ea25e6b11a4bb803b4d54581f5678225b0aa4460d0fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab70CF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7173.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\bnbmabel\jtsykbnc.exe

Filesize
114KB

MD5
863e8308667bbb8d7bad223f4b612e7c

SHA1
7f7870310916214f7736d5b73dc61dc10f2f9cfd

SHA256
59de5f450e1d360d082497bad068ec8e59e8b2891487c6243b4828c85bd798c6

SHA512
f6147a881b061ea27704ce13597e8980e59988501c373710f7e4a823dfabd0dc6db6567b2bc1fabcf37bdf62f89e87211fa2da4b477d52d982873f54b5ed424d

Download Submit
memory/496-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-16-0x00000000779B0000-0x00000000779B1000-memory.dmp

Filesize
4KB

Download
memory/804-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/804-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/804-17-0x0000000020010000-0x000000002001D000-memory.dmp

Filesize
52KB

Download
memory/804-15-0x00000000779AF000-0x00000000779B0000-memory.dmp

Filesize
4KB

Download
memory/804-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/804-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-64-0x00000000779B0000-0x00000000779B1000-memory.dmp

Filesize
4KB

Download
memory/804-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/804-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-598-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/852-721-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1168-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1264-978-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-3736-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-3797-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-611-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-760-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-773-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-648-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-3651-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-3638-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-3601-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-43-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-37-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-53-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-61-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-60-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-57-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-54-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-65-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2328-67-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2332-523-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-1614-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-3506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-24-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2512-30-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2512-18-0x0000000020010000-0x000000002001D000-memory.dmp

Filesize
52KB

Download
memory/2512-20-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2512-29-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2512-25-0x0000000020010000-0x000000002001D000-memory.dmp

Filesize
52KB

Download
memory/2512-31-0x0000000020010000-0x000000002001D000-memory.dmp

Filesize
52KB

Download
memory/2512-32-0x0000000020010000-0x000000002001D000-memory.dmp

Filesize
52KB

Download
memory/2512-33-0x0000000020010000-0x000000002001D000-memory.dmp

Filesize
52KB

Download
memory/2516-1375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-3487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-2989-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-469-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-1242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-745-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-734-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-1120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download