amadey | 6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	d4d8e174e1.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d4d8e174e1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1VB7gm8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	45978d7a45.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a124ef52b4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	12b253666a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c4dc625dd7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	52b764137e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	debacf9a3f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9KAUTS66FU22YR5M5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7fOMOTQ.exe

Downloads MZ/PE file 19 IoCs

flow	pid	Process
8	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe
14	2892	skotes.exe

Uses browser remote debugging 2 TTPs 3 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
2152	chrome.exe
3196	chrome.exe
3204	chrome.exe

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x00050000000195c0-1758.dat	net_reactor
behavioral1/memory/3756-1768-0x0000000000E00000-0x0000000001416000-memory.dmp	net_reactor
behavioral1/files/0x00090000000195fe-1795.dat	net_reactor
behavioral1/memory/4192-1803-0x0000000000980000-0x0000000000A3E000-memory.dmp	net_reactor
behavioral1/memory/2988-1978-0x0000000000E20000-0x0000000000EDE000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	45978d7a45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	12b253666a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	12b253666a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	52b764137e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1VB7gm8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	45978d7a45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	debacf9a3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c4dc625dd7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c4dc625dd7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	52b764137e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a124ef52b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a124ef52b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d4d8e174e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d4d8e174e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	debacf9a3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9KAUTS66FU22YR5M5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9KAUTS66FU22YR5M5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1VB7gm8.exe

Executes dropped EXE 24 IoCs

pid	Process
2588	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
2064	9KAUTS66FU22YR5M5.exe
2892	skotes.exe
1940	nAEqBMS.exe
4924	1VB7gm8.exe
944	L65uNi1.exe
1892	L65uNi1.exe
632	L65uNi1.exe
3464	7fOMOTQ.exe
4164	af53YGc.exe
4468	af53YGc.exe
3488	45978d7a45.exe
2984	12b253666a.exe
3756	04841ffb84.exe
3868	04841ffb84.exe
4192	885e919f26.exe
4264	885e919f26.exe
4676	a124ef52b4.exe
2976	d4d8e174e1.exe
5012	c4dc625dd7.exe
3292	52b764137e.exe
2988	62d2f72b3a.exe
3736	62d2f72b3a.exe
3664	debacf9a3f.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	45978d7a45.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	d4d8e174e1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	c4dc625dd7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	1VB7gm8.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	7fOMOTQ.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	12b253666a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	a124ef52b4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	52b764137e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	debacf9a3f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	9KAUTS66FU22YR5M5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	skotes.exe

Loads dropped DLL 64 IoCs

pid	Process
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2064	9KAUTS66FU22YR5M5.exe
2064	9KAUTS66FU22YR5M5.exe
2892	skotes.exe
2892	skotes.exe
2892	skotes.exe
2892	skotes.exe
944	L65uNi1.exe
944	L65uNi1.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
3252	WerFault.exe
3252	WerFault.exe
3252	WerFault.exe
3252	WerFault.exe
3252	WerFault.exe
2892	skotes.exe
2892	skotes.exe
4164	af53YGc.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
2892	skotes.exe
2892	skotes.exe
2892	skotes.exe
3756	04841ffb84.exe
3972	WerFault.exe
3972	WerFault.exe
3972	WerFault.exe
3972	WerFault.exe
3972	WerFault.exe
2892	skotes.exe
4192	885e919f26.exe
4368	WerFault.exe
4368	WerFault.exe
4368	WerFault.exe
4368	WerFault.exe
4368	WerFault.exe
2892	skotes.exe
2892	skotes.exe
2892	skotes.exe
2892	skotes.exe
2892	skotes.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
2892	skotes.exe
2892	skotes.exe
2988	62d2f72b3a.exe
4840	WerFault.exe
4840	WerFault.exe
4840	WerFault.exe
4840	WerFault.exe
4840	WerFault.exe
2892	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2504	tasklist.exe
4740	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2588	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
2064	9KAUTS66FU22YR5M5.exe
2892	skotes.exe
4924	1VB7gm8.exe
3464	7fOMOTQ.exe
3488	45978d7a45.exe
2984	12b253666a.exe
4676	a124ef52b4.exe
2976	d4d8e174e1.exe
5012	c4dc625dd7.exe
3292	52b764137e.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 632	944	L65uNi1.exe	40
PID 4164 set thread context of 4468	4164	af53YGc.exe	45
PID 3756 set thread context of 3868	3756	04841ffb84.exe	51
PID 4192 set thread context of 4264	4192	885e919f26.exe	54
PID 2988 set thread context of 3736	2988	62d2f72b3a.exe	64
PID 4676 set thread context of 3848	4676	a124ef52b4.exe	61

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	9KAUTS66FU22YR5M5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1764	944	WerFault.exe	38
3252	1940	WerFault.exe	36
4832	4164	WerFault.exe	44
3972	3756	WerFault.exe	50
4368	4192	WerFault.exe	53
3152	5012	WerFault.exe	58
4840	2988	WerFault.exe	63

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nAEqBMS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fOMOTQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	885e919f26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af53YGc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04841ffb84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4dc625dd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62d2f72b3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1VB7gm8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L65uNi1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	885e919f26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a124ef52b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9KAUTS66FU22YR5M5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L65uNi1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04841ffb84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52b764137e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62d2f72b3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af53YGc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45978d7a45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12b253666a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4d8e174e1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d4d8e174e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d4d8e174e1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

defense_evasion spyware trojan

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	52b764137e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	52b764137e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	52b764137e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
2588	ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
2064	9KAUTS66FU22YR5M5.exe
2892	skotes.exe
4924	1VB7gm8.exe
4924	1VB7gm8.exe
4924	1VB7gm8.exe
4924	1VB7gm8.exe
4924	1VB7gm8.exe
632	L65uNi1.exe
632	L65uNi1.exe
632	L65uNi1.exe
632	L65uNi1.exe
1940	nAEqBMS.exe
3464	7fOMOTQ.exe
3464	7fOMOTQ.exe
3464	7fOMOTQ.exe
3464	7fOMOTQ.exe
3464	7fOMOTQ.exe
4468	af53YGc.exe
4468	af53YGc.exe
4468	af53YGc.exe
4468	af53YGc.exe
3488	45978d7a45.exe
2984	12b253666a.exe
2984	12b253666a.exe
2984	12b253666a.exe
2984	12b253666a.exe
2984	12b253666a.exe
3488	45978d7a45.exe
3488	45978d7a45.exe
4264	885e919f26.exe
4264	885e919f26.exe
4264	885e919f26.exe
4264	885e919f26.exe
4676	a124ef52b4.exe
2976	d4d8e174e1.exe
2976	d4d8e174e1.exe
2976	d4d8e174e1.exe
2976	d4d8e174e1.exe
2976	d4d8e174e1.exe
2976	d4d8e174e1.exe
5012	c4dc625dd7.exe
5012	c4dc625dd7.exe
5012	c4dc625dd7.exe
5012	c4dc625dd7.exe
5012	c4dc625dd7.exe
3292	52b764137e.exe
3736	62d2f72b3a.exe
3736	62d2f72b3a.exe
3736	62d2f72b3a.exe
3736	62d2f72b3a.exe
2152	chrome.exe
2152	chrome.exe
3664	debacf9a3f.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	nAEqBMS.exe
Token: SeDebugPrivilege	1940	nAEqBMS.exe
Token: SeDebugPrivilege	3488	45978d7a45.exe
Token: SeDebugPrivilege	3868	04841ffb84.exe
Token: SeIncreaseQuotaPrivilege	3868	04841ffb84.exe
Token: SeSecurityPrivilege	3868	04841ffb84.exe
Token: SeTakeOwnershipPrivilege	3868	04841ffb84.exe
Token: SeLoadDriverPrivilege	3868	04841ffb84.exe
Token: SeSystemProfilePrivilege	3868	04841ffb84.exe
Token: SeSystemtimePrivilege	3868	04841ffb84.exe
Token: SeProfSingleProcessPrivilege	3868	04841ffb84.exe
Token: SeIncBasePriorityPrivilege	3868	04841ffb84.exe
Token: SeCreatePagefilePrivilege	3868	04841ffb84.exe
Token: SeBackupPrivilege	3868	04841ffb84.exe
Token: SeRestorePrivilege	3868	04841ffb84.exe
Token: SeShutdownPrivilege	3868	04841ffb84.exe
Token: SeDebugPrivilege	3868	04841ffb84.exe
Token: SeSystemEnvironmentPrivilege	3868	04841ffb84.exe
Token: SeRemoteShutdownPrivilege	3868	04841ffb84.exe
Token: SeUndockPrivilege	3868	04841ffb84.exe
Token: SeManageVolumePrivilege	3868	04841ffb84.exe
Token: 33	3868	04841ffb84.exe
Token: 34	3868	04841ffb84.exe
Token: 35	3868	04841ffb84.exe
Token: SeIncreaseQuotaPrivilege	3868	04841ffb84.exe
Token: SeSecurityPrivilege	3868	04841ffb84.exe
Token: SeTakeOwnershipPrivilege	3868	04841ffb84.exe
Token: SeLoadDriverPrivilege	3868	04841ffb84.exe
Token: SeSystemProfilePrivilege	3868	04841ffb84.exe
Token: SeSystemtimePrivilege	3868	04841ffb84.exe
Token: SeProfSingleProcessPrivilege	3868	04841ffb84.exe
Token: SeIncBasePriorityPrivilege	3868	04841ffb84.exe
Token: SeCreatePagefilePrivilege	3868	04841ffb84.exe
Token: SeBackupPrivilege	3868	04841ffb84.exe
Token: SeRestorePrivilege	3868	04841ffb84.exe
Token: SeShutdownPrivilege	3868	04841ffb84.exe
Token: SeDebugPrivilege	3868	04841ffb84.exe
Token: SeSystemEnvironmentPrivilege	3868	04841ffb84.exe
Token: SeRemoteShutdownPrivilege	3868	04841ffb84.exe
Token: SeUndockPrivilege	3868	04841ffb84.exe
Token: SeManageVolumePrivilege	3868	04841ffb84.exe
Token: 33	3868	04841ffb84.exe
Token: 34	3868	04841ffb84.exe
Token: 35	3868	04841ffb84.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2064	9KAUTS66FU22YR5M5.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2588	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	31
PID 2256 wrote to memory of 2588	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	31
PID 2256 wrote to memory of 2588	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	31
PID 2256 wrote to memory of 2588	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	31
PID 2256 wrote to memory of 2064	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	32
PID 2256 wrote to memory of 2064	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	32
PID 2256 wrote to memory of 2064	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	32
PID 2256 wrote to memory of 2064	2256	6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe	32
PID 2064 wrote to memory of 2892	2064	9KAUTS66FU22YR5M5.exe	33
PID 2064 wrote to memory of 2892	2064	9KAUTS66FU22YR5M5.exe	33
PID 2064 wrote to memory of 2892	2064	9KAUTS66FU22YR5M5.exe	33
PID 2064 wrote to memory of 2892	2064	9KAUTS66FU22YR5M5.exe	33
PID 2892 wrote to memory of 1940	2892	skotes.exe	36
PID 2892 wrote to memory of 1940	2892	skotes.exe	36
PID 2892 wrote to memory of 1940	2892	skotes.exe	36
PID 2892 wrote to memory of 1940	2892	skotes.exe	36
PID 2892 wrote to memory of 4924	2892	skotes.exe	37
PID 2892 wrote to memory of 4924	2892	skotes.exe	37
PID 2892 wrote to memory of 4924	2892	skotes.exe	37
PID 2892 wrote to memory of 4924	2892	skotes.exe	37
PID 2892 wrote to memory of 944	2892	skotes.exe	38
PID 2892 wrote to memory of 944	2892	skotes.exe	38
PID 2892 wrote to memory of 944	2892	skotes.exe	38
PID 2892 wrote to memory of 944	2892	skotes.exe	38
PID 944 wrote to memory of 1892	944	L65uNi1.exe	39
PID 944 wrote to memory of 1892	944	L65uNi1.exe	39
PID 944 wrote to memory of 1892	944	L65uNi1.exe	39
PID 944 wrote to memory of 1892	944	L65uNi1.exe	39
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 632	944	L65uNi1.exe	40
PID 944 wrote to memory of 1764	944	L65uNi1.exe	41
PID 944 wrote to memory of 1764	944	L65uNi1.exe	41
PID 944 wrote to memory of 1764	944	L65uNi1.exe	41
PID 944 wrote to memory of 1764	944	L65uNi1.exe	41
PID 1940 wrote to memory of 3252	1940	nAEqBMS.exe	42
PID 1940 wrote to memory of 3252	1940	nAEqBMS.exe	42
PID 1940 wrote to memory of 3252	1940	nAEqBMS.exe	42
PID 1940 wrote to memory of 3252	1940	nAEqBMS.exe	42
PID 2892 wrote to memory of 3464	2892	skotes.exe	43
PID 2892 wrote to memory of 3464	2892	skotes.exe	43
PID 2892 wrote to memory of 3464	2892	skotes.exe	43
PID 2892 wrote to memory of 3464	2892	skotes.exe	43
PID 2892 wrote to memory of 4164	2892	skotes.exe	44
PID 2892 wrote to memory of 4164	2892	skotes.exe	44
PID 2892 wrote to memory of 4164	2892	skotes.exe	44
PID 2892 wrote to memory of 4164	2892	skotes.exe	44
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45
PID 4164 wrote to memory of 4468	4164	af53YGc.exe	45

C:\Users\Admin\AppData\Local\Temp\6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe
"C:\Users\Admin\AppData\Local\Temp\6c2d199bf80aab2107567e6ae13ae6b9f71d2cdc39d0929fed7fdab34832db39.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe
  "C:\Users\Admin\AppData\Local\Temp\ZY087R5HTN96QPJSM19WQFLXNUK0G1Z.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\9KAUTS66FU22YR5M5.exe
  "C:\Users\Admin\AppData\Local\Temp\9KAUTS66FU22YR5M5.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\1069260001\nAEqBMS.exe
      "C:\Users\Admin\AppData\Local\Temp\1069260001\nAEqBMS.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 652
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\1069264001\1VB7gm8.exe
      "C:\Users\Admin\AppData\Local\Temp\1069264001\1VB7gm8.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\1069267001\L65uNi1.exe
      "C:\Users\Admin\AppData\Local\Temp\1069267001\L65uNi1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Users\Admin\AppData\Local\Temp\1069267001\L65uNi1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069267001\L65uNi1.exe"
        5⤵
        Executes dropped EXE
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\1069267001\L65uNi1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069267001\L65uNi1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 524
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\1069268001\7fOMOTQ.exe
      "C:\Users\Admin\AppData\Local\Temp\1069268001\7fOMOTQ.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\1069270001\af53YGc.exe
      "C:\Users\Admin\AppData\Local\Temp\1069270001\af53YGc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Users\Admin\AppData\Local\Temp\1069270001\af53YGc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069270001\af53YGc.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 524
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\1069271001\45978d7a45.exe
      "C:\Users\Admin\AppData\Local\Temp\1069271001\45978d7a45.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\1069272001\12b253666a.exe
      "C:\Users\Admin\AppData\Local\Temp\1069272001\12b253666a.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\1069273001\04841ffb84.exe
      "C:\Users\Admin\AppData\Local\Temp\1069273001\04841ffb84.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\1069273001\04841ffb84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069273001\04841ffb84.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 536
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\1069274001\885e919f26.exe
      "C:\Users\Admin\AppData\Local\Temp\1069274001\885e919f26.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\1069274001\885e919f26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069274001\885e919f26.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 516
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\1069275001\a124ef52b4.exe
      "C:\Users\Admin\AppData\Local\Temp\1069275001\a124ef52b4.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4676
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        
        PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\1069276001\d4d8e174e1.exe
      "C:\Users\Admin\AppData\Local\Temp\1069276001\d4d8e174e1.exe"
      4⤵
      Enumerates VirtualBox registry keys
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2152
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a19758,0x7fef6a19768,0x7fef6a19778
        6⤵
        
        PID:3024
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:1548
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1392,i,12407370427200185892,9450281763200618743,131072 /prefetch:2
        6⤵
        
        PID:988
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1392,i,12407370427200185892,9450281763200618743,131072 /prefetch:8
        6⤵
        
        PID:996
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1392,i,12407370427200185892,9450281763200618743,131072 /prefetch:8
        6⤵
        
        PID:1556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1392,i,12407370427200185892,9450281763200618743,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3204
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1392,i,12407370427200185892,9450281763200618743,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3196
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2824 --field-trial-handle=1392,i,12407370427200185892,9450281763200618743,131072 /prefetch:2
        6⤵
        
        PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\1069277001\c4dc625dd7.exe
      "C:\Users\Admin\AppData\Local\Temp\1069277001\c4dc625dd7.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1228
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\1069278001\52b764137e.exe
      "C:\Users\Admin\AppData\Local\Temp\1069278001\52b764137e.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\1069279001\62d2f72b3a.exe
      "C:\Users\Admin\AppData\Local\Temp\1069279001\62d2f72b3a.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\1069279001\62d2f72b3a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069279001\62d2f72b3a.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 516
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\1069280001\debacf9a3f.exe
      "C:\Users\Admin\AppData\Local\Temp\1069280001\debacf9a3f.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\1069281001\cd7c03d7f9.exe
      "C:\Users\Admin\AppData\Local\Temp\1069281001\cd7c03d7f9.exe"
      4⤵
      PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\1069282001\992a83a402.exe
      "C:\Users\Admin\AppData\Local\Temp\1069282001\992a83a402.exe"
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
        5⤵
        
        PID:3048
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2504
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        
        PID:2520
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4740
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        6⤵
        
        PID:4752
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 764661
        6⤵
        
        PID:3684
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Fm
        6⤵
        
        PID:4284
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Tunnel" Addresses
        6⤵
        
        PID:3088
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
        6⤵
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
        
        Macromedia.com F
        6⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3556
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        6⤵
        
        PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
      "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
      4⤵
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:380
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3628
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2432
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:288
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3448
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3796
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3536
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:468
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:996
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3208
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3976
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3808
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5112
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:408
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1760
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3080
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3136
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4232
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:900
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:332
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3832
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3464
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2792
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:496
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:688
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:928
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:448
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1084
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3920
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3260
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:868
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:668
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3732
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3364
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3372
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5124
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5156
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5164
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5172
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5188
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5220
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5236
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5244
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5252
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5316
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5324
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5332
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5352
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5360
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5376
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5384
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5392
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5400
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5408
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5416
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5424
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5432
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5440
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5480
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5488
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5496
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5528
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5536
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5544
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5552
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5560
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5600
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5652
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5660
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5668
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5676
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5724
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5732
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5740
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5756
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5764
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5780
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5812
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5836
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5844
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5860
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5892
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5932
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5956
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5972
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5980
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6004
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6012
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6036
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6044
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069283001\88e4563305.exe"
        5⤵
        
        PID:6100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion