1e42153407ae1f593b5ad9b9b043f95dfd30f773874fbd0741ad1e5b5af2c490

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 03:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
Size

907KB
MD5

7c740ef443c7ed33df4b85479ee25408
SHA1

1078462d6e5cbbc91a8c76a613599e7aba88902a
SHA256

1e42153407ae1f593b5ad9b9b043f95dfd30f773874fbd0741ad1e5b5af2c490
SHA512

7cefe2c71013068c5aaeb2ea2a61b6a847acb768244bd585f1fc7ea23ed3e517f19873fbf33fa7408c2443c6389b7e96887c23ee0a72d19379cd6f5e1fe3dba6
SSDEEP

12288:UKBbJ0pcx9iEZS1ixBIaHVCHqn3dBLuRvJTYcdMbGXhgY0Xdpk9pGHNu4B2UqpIm:LN0pcnRmixBgQwrYcdMbGXuXdbI4rYB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3556	lsass.exe
4224	smss.exe
1100	smss.exe
496	smss.exe
1864	smss.exe
3560	smss.exe
2216	smss.exe
5024	smss.exe
1628	smss.exe
3892	smss.exe
3432	smss.exe
4592	smss.exe
3712	smss.exe
4244	smss.exe
2376	smss.exe
4704	smss.exe
2908	smss.exe
3872	smss.exe
2744	smss.exe
992	smss.exe
4280	smss.exe
4256	smss.exe
4608	smss.exe
3620	smss.exe
4644	smss.exe
4220	smss.exe
3164	smss.exe
4788	smss.exe
4396	smss.exe
3240	smss.exe
3216	smss.exe
4728	smss.exe
2912	smss.exe
3796	smss.exe
2824	smss.exe
1708	smss.exe
1740	smss.exe
1948	smss.exe
836	smss.exe
1368	smss.exe
2164	smss.exe
3196	smss.exe
2484	smss.exe
3100	smss.exe
1400	smss.exe
504	smss.exe
1152	smss.exe
4248	smss.exe
3528	smss.exe
3476	smss.exe
2432	smss.exe
756	smss.exe
3096	smss.exe
4332	smss.exe
4640	smss.exe
2316	smss.exe
2516	smss.exe
4184	smss.exe
3864	smss.exe
2408	smss.exe
1616	smss.exe
4836	smss.exe
2944	smss.exe
4880	smss.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\com\smss.exe	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
3556	lsass.exe
3556	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3556	1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe	82
PID 1192 wrote to memory of 3556	1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe	82
PID 1192 wrote to memory of 3556	1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe	82
PID 1192 wrote to memory of 4224	1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe	83
PID 1192 wrote to memory of 4224	1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe	83
PID 1192 wrote to memory of 4224	1192	2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe	83
PID 3556 wrote to memory of 1100	3556	lsass.exe	84
PID 3556 wrote to memory of 1100	3556	lsass.exe	84
PID 3556 wrote to memory of 1100	3556	lsass.exe	84
PID 3556 wrote to memory of 496	3556	lsass.exe	85
PID 3556 wrote to memory of 496	3556	lsass.exe	85
PID 3556 wrote to memory of 496	3556	lsass.exe	85
PID 3556 wrote to memory of 1864	3556	lsass.exe	86
PID 3556 wrote to memory of 1864	3556	lsass.exe	86
PID 3556 wrote to memory of 1864	3556	lsass.exe	86
PID 3556 wrote to memory of 3560	3556	lsass.exe	87
PID 3556 wrote to memory of 3560	3556	lsass.exe	87
PID 3556 wrote to memory of 3560	3556	lsass.exe	87
PID 3556 wrote to memory of 2216	3556	lsass.exe	88
PID 3556 wrote to memory of 2216	3556	lsass.exe	88
PID 3556 wrote to memory of 2216	3556	lsass.exe	88
PID 3556 wrote to memory of 5024	3556	lsass.exe	89
PID 3556 wrote to memory of 5024	3556	lsass.exe	89
PID 3556 wrote to memory of 5024	3556	lsass.exe	89
PID 3556 wrote to memory of 1628	3556	lsass.exe	90
PID 3556 wrote to memory of 1628	3556	lsass.exe	90
PID 3556 wrote to memory of 1628	3556	lsass.exe	90
PID 3556 wrote to memory of 3892	3556	lsass.exe	91
PID 3556 wrote to memory of 3892	3556	lsass.exe	91
PID 3556 wrote to memory of 3892	3556	lsass.exe	91
PID 3556 wrote to memory of 3432	3556	lsass.exe	92
PID 3556 wrote to memory of 3432	3556	lsass.exe	92
PID 3556 wrote to memory of 3432	3556	lsass.exe	92
PID 3556 wrote to memory of 4592	3556	lsass.exe	93
PID 3556 wrote to memory of 4592	3556	lsass.exe	93
PID 3556 wrote to memory of 4592	3556	lsass.exe	93
PID 3556 wrote to memory of 3712	3556	lsass.exe	94
PID 3556 wrote to memory of 3712	3556	lsass.exe	94
PID 3556 wrote to memory of 3712	3556	lsass.exe	94
PID 3556 wrote to memory of 4244	3556	lsass.exe	95
PID 3556 wrote to memory of 4244	3556	lsass.exe	95
PID 3556 wrote to memory of 4244	3556	lsass.exe	95
PID 3556 wrote to memory of 2376	3556	lsass.exe	96
PID 3556 wrote to memory of 2376	3556	lsass.exe	96
PID 3556 wrote to memory of 2376	3556	lsass.exe	96
PID 3556 wrote to memory of 4704	3556	lsass.exe	97
PID 3556 wrote to memory of 4704	3556	lsass.exe	97
PID 3556 wrote to memory of 4704	3556	lsass.exe	97
PID 3556 wrote to memory of 2908	3556	lsass.exe	98
PID 3556 wrote to memory of 2908	3556	lsass.exe	98
PID 3556 wrote to memory of 2908	3556	lsass.exe	98
PID 3556 wrote to memory of 3872	3556	lsass.exe	99
PID 3556 wrote to memory of 3872	3556	lsass.exe	99
PID 3556 wrote to memory of 3872	3556	lsass.exe	99
PID 3556 wrote to memory of 2744	3556	lsass.exe	100
PID 3556 wrote to memory of 2744	3556	lsass.exe	100
PID 3556 wrote to memory of 2744	3556	lsass.exe	100
PID 3556 wrote to memory of 992	3556	lsass.exe	101
PID 3556 wrote to memory of 992	3556	lsass.exe	101
PID 3556 wrote to memory of 992	3556	lsass.exe	101
PID 3556 wrote to memory of 4280	3556	lsass.exe	102
PID 3556 wrote to memory of 4280	3556	lsass.exe	102
PID 3556 wrote to memory of 4280	3556	lsass.exe	102
PID 3556 wrote to memory of 4256	3556	lsass.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\com\lsass.exe
  "C:\Windows\system32\com\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1100
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
    3⤵
    - Executes dropped EXE
    PID:496
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
    3⤵
    - Executes dropped EXE
    PID:3560
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:5024
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1628
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3892
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3432
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4592
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3712
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4244
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2376
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4704
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3872
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:992
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4280
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4256
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4608
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3620
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4644
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4220
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3164
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4788
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3240
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3216
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4728
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3796
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1948
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:836
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1368
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3196
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2484
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3100
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:504
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1152
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4248
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3528
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3476
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2432
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:756
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3096
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4332
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4640
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4184
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:3864
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2408
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4836
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:2944
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    PID:4880
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:956
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:696
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:324
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:388
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:664
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:100
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:788
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:500
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:960
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:944
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:336
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:232
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:444
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:996
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5264
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5536
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5808
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5920
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:656
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:60
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:804
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:940
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6216
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6236
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6256
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6324
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6376
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6428
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6464
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6480
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6532
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6568
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6584
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6600
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6652
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6668
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6684
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6720
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6772
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6788
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6820
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6856
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6896
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6916
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6948
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6984
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7000
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7052
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7068
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7100
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7136
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6152
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6228
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6436
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6544
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6512
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6596
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6732
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6760
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6864
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6972
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:840
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7080
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7144
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6248
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6424
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6444
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6784
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6960
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7092
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6456
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6592
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:6364
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:892
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:924
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:724
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    PID:7132
- C:\Windows\SysWOW64\com\smss.exe
  C:\Users\Admin\AppData\Local\Temp\2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid.~|C:\Users\Admin\AppData\Local\Temp\2024-09-29_7c740ef443c7ed33df4b85479ee25408_icedid .exe
  2⤵
  - Executes dropped EXE
  PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\lsass.exe

Filesize
40KB

MD5
94f9d9e6d5b42017d190dcb059fcd3ff

SHA1
a045c5a48222d7f644e23c1bf5e25b13fb57b266

SHA256
13d11a7f74689648ef7b5b3d588332cf08778251992def91d09dfc941c2ff558

SHA512
8bcfb0001798e460d7d786f35c112cc7b392dc0c971accc26fec4bed6f78679d30537533f09e15a7660b3ca5a85e014d2c14f288d6d38dd2d3addd0b78fe9ac6

Download Submit
C:\Windows\SysWOW64\Com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads