hawkeye | 77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
Size

468KB
MD5

6ccf841ca92807fe9f10db607f137e69
SHA1

3bc2018b7bb88980b99f1c6f0d8e6ef1392a1072
SHA256

77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727
SHA512

0be1c72156629eb95874fafce4928dd0deb2c17fc181efa1be3d8895985f9ecf972cb2af88f7a68ad8851b3c245b26f46701dcaf368f5aea81a882bbf2b5fc40
SSDEEP

12288:jQFHduFTvmOaeFE0+52UXcQJeR7M+tBkXHh:jQdE1NFE045M9ZAHh

Score

10^/10

hawkeye collection discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
gud12345678

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4080-8-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/2280-28-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2280-30-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2280-33-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4080-8-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/2280-28-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2280-30-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2280-33-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4080-8-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	atiesrx.exe

Executes dropped EXE 64 IoCs

pid	Process
936	IpOverUsbSvrc.exe
3340	atiesrx.exe
1260	atiesrx.exe
2228	IpOverUsbSvrc.exe
3808	atiesrx.exe
4528	atiesrx.exe
1956	atiesrx.exe
1704	atiesrx.exe
2872	atiesrx.exe
1724	atiesrx.exe
2784	atiesrx.exe
2688	atiesrx.exe
4296	atiesrx.exe
4772	atiesrx.exe
2948	atiesrx.exe
2108	atiesrx.exe
844	atiesrx.exe
4020	atiesrx.exe
3024	atiesrx.exe
2036	atiesrx.exe
2352	atiesrx.exe
224	atiesrx.exe
4840	atiesrx.exe
4668	atiesrx.exe
1208	atiesrx.exe
2596	atiesrx.exe
4984	atiesrx.exe
3748	atiesrx.exe
3444	atiesrx.exe
1896	atiesrx.exe
1900	atiesrx.exe
2008	atiesrx.exe
744	atiesrx.exe
4480	atiesrx.exe
1028	atiesrx.exe
4160	atiesrx.exe
1904	atiesrx.exe
1000	atiesrx.exe
2988	atiesrx.exe
1172	atiesrx.exe
64	atiesrx.exe
4488	atiesrx.exe
5000	atiesrx.exe
1468	atiesrx.exe
640	atiesrx.exe
2892	atiesrx.exe
4144	atiesrx.exe
4656	atiesrx.exe
3204	atiesrx.exe
2520	atiesrx.exe
4316	atiesrx.exe
4568	atiesrx.exe
1184	atiesrx.exe
3392	atiesrx.exe
4208	atiesrx.exe
3268	atiesrx.exe
216	atiesrx.exe
3916	atiesrx.exe
1620	atiesrx.exe
4636	atiesrx.exe
3776	atiesrx.exe
3924	atiesrx.exe
964	atiesrx.exe
3676	atiesrx.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	whatismyipaddress.com

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4080 set thread context of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 3340 set thread context of 1260	3340	atiesrx.exe	110
PID 3340 set thread context of 3808	3340	atiesrx.exe	112
PID 3340 set thread context of 4528	3340	atiesrx.exe	113
PID 3340 set thread context of 1956	3340	atiesrx.exe	114
PID 3340 set thread context of 1704	3340	atiesrx.exe	115
PID 3340 set thread context of 2872	3340	atiesrx.exe	116
PID 3340 set thread context of 1724	3340	atiesrx.exe	117
PID 3340 set thread context of 2784	3340	atiesrx.exe	118
PID 3340 set thread context of 2688	3340	atiesrx.exe	119
PID 3340 set thread context of 4296	3340	atiesrx.exe	120
PID 3340 set thread context of 4772	3340	atiesrx.exe	121
PID 3340 set thread context of 2948	3340	atiesrx.exe	122
PID 3340 set thread context of 2108	3340	atiesrx.exe	123
PID 3340 set thread context of 844	3340	atiesrx.exe	124
PID 3340 set thread context of 4020	3340	atiesrx.exe	125
PID 3340 set thread context of 3024	3340	atiesrx.exe	126
PID 3340 set thread context of 2036	3340	atiesrx.exe	127
PID 3340 set thread context of 2352	3340	atiesrx.exe	128
PID 3340 set thread context of 224	3340	atiesrx.exe	129
PID 3340 set thread context of 4840	3340	atiesrx.exe	130
PID 3340 set thread context of 4668	3340	atiesrx.exe	131
PID 3340 set thread context of 1208	3340	atiesrx.exe	132
PID 3340 set thread context of 2596	3340	atiesrx.exe	133
PID 3340 set thread context of 4984	3340	atiesrx.exe	134
PID 3340 set thread context of 3748	3340	atiesrx.exe	135
PID 3340 set thread context of 3444	3340	atiesrx.exe	136
PID 3340 set thread context of 1896	3340	atiesrx.exe	137
PID 3340 set thread context of 1900	3340	atiesrx.exe	138
PID 3340 set thread context of 2008	3340	atiesrx.exe	139
PID 3340 set thread context of 744	3340	atiesrx.exe	140
PID 3340 set thread context of 4480	3340	atiesrx.exe	141
PID 3340 set thread context of 1028	3340	atiesrx.exe	142
PID 3340 set thread context of 4160	3340	atiesrx.exe	143
PID 3340 set thread context of 1904	3340	atiesrx.exe	144
PID 3340 set thread context of 1000	3340	atiesrx.exe	145
PID 3340 set thread context of 2988	3340	atiesrx.exe	146
PID 3340 set thread context of 1172	3340	atiesrx.exe	147
PID 3340 set thread context of 64	3340	atiesrx.exe	148
PID 3340 set thread context of 4488	3340	atiesrx.exe	149
PID 3340 set thread context of 5000	3340	atiesrx.exe	150
PID 3340 set thread context of 1468	3340	atiesrx.exe	151
PID 3340 set thread context of 640	3340	atiesrx.exe	152
PID 3340 set thread context of 2892	3340	atiesrx.exe	153
PID 3340 set thread context of 4144	3340	atiesrx.exe	154
PID 3340 set thread context of 4656	3340	atiesrx.exe	155
PID 3340 set thread context of 3204	3340	atiesrx.exe	156
PID 3340 set thread context of 2520	3340	atiesrx.exe	157
PID 3340 set thread context of 4316	3340	atiesrx.exe	158
PID 3340 set thread context of 4568	3340	atiesrx.exe	159
PID 3340 set thread context of 1184	3340	atiesrx.exe	160
PID 3340 set thread context of 3392	3340	atiesrx.exe	161
PID 3340 set thread context of 4208	3340	atiesrx.exe	162
PID 3340 set thread context of 3268	3340	atiesrx.exe	163
PID 3340 set thread context of 216	3340	atiesrx.exe	164
PID 3340 set thread context of 3916	3340	atiesrx.exe	165
PID 3340 set thread context of 1620	3340	atiesrx.exe	166
PID 3340 set thread context of 4636	3340	atiesrx.exe	167
PID 3340 set thread context of 3776	3340	atiesrx.exe	168
PID 3340 set thread context of 3924	3340	atiesrx.exe	169
PID 3340 set thread context of 964	3340	atiesrx.exe	170
PID 3340 set thread context of 3676	3340	atiesrx.exe	171
PID 3340 set thread context of 4212	3340	atiesrx.exe	172

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiesrx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
Token: SeDebugPrivilege	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
Token: SeDebugPrivilege	936	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	3340	atiesrx.exe
Token: SeDebugPrivilege	2228	IpOverUsbSvrc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 4080	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	97
PID 4304 wrote to memory of 936	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	98
PID 4304 wrote to memory of 936	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	98
PID 4304 wrote to memory of 936	4304	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	98
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 4080 wrote to memory of 2280	4080	77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe	103
PID 936 wrote to memory of 3340	936	IpOverUsbSvrc.exe	107
PID 936 wrote to memory of 3340	936	IpOverUsbSvrc.exe	107
PID 936 wrote to memory of 3340	936	IpOverUsbSvrc.exe	107
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 1260	3340	atiesrx.exe	110
PID 3340 wrote to memory of 2228	3340	atiesrx.exe	111
PID 3340 wrote to memory of 2228	3340	atiesrx.exe	111
PID 3340 wrote to memory of 2228	3340	atiesrx.exe	111
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 3808	3340	atiesrx.exe	112
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 4528	3340	atiesrx.exe	113
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1956	3340	atiesrx.exe	114
PID 3340 wrote to memory of 1704	3340	atiesrx.exe	115
PID 3340 wrote to memory of 1704	3340	atiesrx.exe	115
PID 3340 wrote to memory of 1704	3340	atiesrx.exe	115
PID 3340 wrote to memory of 1704	3340	atiesrx.exe	115
PID 3340 wrote to memory of 1704	3340	atiesrx.exe	115
PID 3340 wrote to memory of 1704	3340	atiesrx.exe	115

C:\Users\Admin\AppData\Local\Temp\77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
"C:\Users\Admin\AppData\Local\Temp\77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe
  "C:\Users\Admin\AppData\Local\Temp\77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1260
  - - C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2228
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3808
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4528
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1956
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1704
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2872
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1724
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2784
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4296
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4772
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2948
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2108
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:844
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4020
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3024
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2036
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2352
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:224
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4840
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4668
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2596
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4984
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3748
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3444
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1896
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1900
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2008
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:744
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4480
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1028
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4160
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1904
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2988
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1172
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:64
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:5000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1468
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:640
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2892
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4144
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4656
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3204
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:2520
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4316
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4568
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1184
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3392
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3268
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:216
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3916
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:1620
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:4636
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3776
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3924
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:964
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      Executes dropped EXE
      PID:3676
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4212
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3428
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4620
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4980
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:916
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3364
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1708
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3168
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:932
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2292
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2436
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4560
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5088
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4624
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:232
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4952
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4448
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1452
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:760
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1152
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3764
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4932
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2472
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2376
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:996
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2828
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4596
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4540
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3588
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2148
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:180
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3572
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2412
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4176
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2004
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3008
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5072
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4180
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5080
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2864
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3032
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4828
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5104
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3848
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4804
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5040
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5016
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2456
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4960
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3172
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3472
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1244
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1536
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3996
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4892
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1268
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5092
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1160
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4496
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1100
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2096
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4712
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3820
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1008
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3632
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5116
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5068
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2800
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4904
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:740
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3040
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4684
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2196
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2624
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4956
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1712
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1968
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1272
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1564
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:832
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3088
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4444
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4564
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2064
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3752
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3236
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2964
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1280
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:776
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:404
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4352
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2308
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1892
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1908
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4072
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3692
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3788
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1548
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2600
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:772
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2360
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2072
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4600
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4916
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4024
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1376
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2636
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4940
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4084
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4760
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5100
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3496
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4676
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3840
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4944
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3516
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1148
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4248
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5128
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5176
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5280
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5328
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5536
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5632
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5680
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5780
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5828
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5876
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5924
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5972
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6024
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6072
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2288
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5140
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5200
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5296
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5340
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5404
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5472
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5512
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5612
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5648
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5716
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5824
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5728
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5940
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5992
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6056
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:936
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5228
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5268
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5336
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5400
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5484
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5548
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5604
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5708
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5748
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5796
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5888
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6004
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6040
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6096
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5188
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5264
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5412
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5424
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5508
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5652
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5696
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5856
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5956
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6060
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4520
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5192
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2708
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5356
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5440
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5568
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5676
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5528
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5932
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5840
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5124
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2392
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5312
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5172
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5572
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5664
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5916
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5988
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5152
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4764
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5416
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5760
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1992
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6016
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3408
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5360
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1012
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5668
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3560
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5580
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5144
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5364
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5444
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5624
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5848
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:516
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4164
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5304
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:100
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5720
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3184
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3232
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:952
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:1088
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5768
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2576
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5532
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5892
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6128
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3956
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4876
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5160
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4240
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:756
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6020
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6136
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3056
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5692
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:4848
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6064
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5560
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:3020
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:5704
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6156
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6220
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6272
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6324
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6376
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6424
  - - C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
      4⤵
      PID:6472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\atiesrx.exe.log

Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
7KB

MD5
7e50c731e4fcaac9f395aa1faae07674

SHA1
4e347ae9b63a0d7d920e5f7a913825a2504b251c

SHA256
218e599bdf886981e72de419165df2048865c3eabec6d0cbf0ea5bdb2048fe70

SHA512
397142c55667d017a1a7676cd69c1233b1339b6e551e4e5b0ae8a246ee2b1e11c4c1107da0e5f484b6fefced270355adaf50eee9bd2caa071ea395df0f32b66d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
468KB

MD5
6ccf841ca92807fe9f10db607f137e69

SHA1
3bc2018b7bb88980b99f1c6f0d8e6ef1392a1072

SHA256
77b2b3c5aba9047e063097d6a0e5efa617e539df5630404a81b4437cd7b0b727

SHA512
0be1c72156629eb95874fafce4928dd0deb2c17fc181efa1be3d8895985f9ecf972cb2af88f7a68ad8851b3c245b26f46701dcaf368f5aea81a882bbf2b5fc40

Download Submit
memory/936-22-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/936-44-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/936-36-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/936-21-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2280-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2280-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2280-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4080-8-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4080-37-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4080-10-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4080-9-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4080-137-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4080-63-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4080-35-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4080-23-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4304-5-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4304-4-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4304-42-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4304-3-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download
memory/4304-2-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4304-1-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4304-34-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4304-0-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download