limerat | 55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0

Analysis

max time kernel
1714s
max time network
1763s
platform
windows10_x64
resource
win10v20210408
submitted
27-09-2021 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Size

616KB
MD5

2f79e1ce8c8dde93cf2664eab439b767
SHA1

b294ba2284d45bfdaa842dd133c6c07f73bdc42d
SHA256

55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0
SHA512

0e9ab1f5c65dc51054b81d2ab0b8fefbefbe9c8f0b06efb1c710421e1e875f60e81d1612a25e42ac4d60a189708efa238e036258a86b24c7d5470bf4a0d75a0f

Score

10^/10

limerat evasion rat

Malware Config

Extracted

Family

limerat

Wallets

bc1qe88ygu7xcv94gtk6wdnkhks5dpchwnvasjr4pf

Attributes

aes_key
lime
antivm
true
c2_url
https://pastebin.com/raw/d2wuKbQW
delay
4
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
true
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Loads dropped DLL 2 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

pid process

804 3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
804 3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Suspicious use of SetThreadContext 64 IoCs

Processes:

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4532	schtasks.exe
4900	schtasks.exe
5092	schtasks.exe
3228
644	schtasks.exe
4540	schtasks.exe
3148	schtasks.exe
4116	schtasks.exe
1596	schtasks.exe
4104	schtasks.exe
1132
3664	schtasks.exe
3168	schtasks.exe
3252	schtasks.exe
1232	schtasks.exe
2904
3356
4272	schtasks.exe
4644	schtasks.exe
3064	schtasks.exe
4488	schtasks.exe
4900	schtasks.exe
1684
1068
3956	schtasks.exe
3196	schtasks.exe
2284	schtasks.exe
1164	schtasks.exe
4376
4180	schtasks.exe
2332	schtasks.exe
4036	schtasks.exe
2120	schtasks.exe
800	schtasks.exe
4220	schtasks.exe
4428	schtasks.exe
4296	schtasks.exe
5072	schtasks.exe
2812	schtasks.exe
3184
4168	schtasks.exe
1800	schtasks.exe
2080	schtasks.exe
4332	schtasks.exe
4876	schtasks.exe
4248	schtasks.exe
2320	schtasks.exe
4820	schtasks.exe
1728	schtasks.exe
2992	schtasks.exe
180	schtasks.exe
4884	schtasks.exe
4812	schtasks.exe
4924	schtasks.exe
4628	schtasks.exe
4080
4380	schtasks.exe
1524	schtasks.exe
4456	schtasks.exe
3168	schtasks.exe
3156	schtasks.exe
1436	schtasks.exe
4804	schtasks.exe
4680

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
828	powershell.exe
1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
828	powershell.exe
828	powershell.exe
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4032	MSBuild.exe
4032	MSBuild.exe
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4032	MSBuild.exe
4032	MSBuild.exe
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4032	MSBuild.exe
4032	MSBuild.exe
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4032	MSBuild.exe
4032	MSBuild.exe
1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4032	MSBuild.exe
4032	MSBuild.exe
2120	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1620	powershell.exe
2120	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1620	powershell.exe
1620	powershell.exe
4032	MSBuild.exe
804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3832	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1600	powershell.exe
3832	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4032	MSBuild.exe
1600	powershell.exe
1600	powershell.exe
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4732	powershell.exe
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4732	powershell.exe
4732	powershell.exe
4032	MSBuild.exe
2440	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
2440	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4032	MSBuild.exe
4032	MSBuild.exe
4916	powershell.exe
4916	powershell.exe
2440	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
4916	powershell.exe
2440	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

4032 MSBuild.exe

pid	process
4032	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrMSBuild.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

description	pid	process
Token: SeDebugPrivilege	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4032	MSBuild.exe
Token: SeDebugPrivilege	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	2120	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	3832	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2440	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	1512	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	1248	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	636	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	4196	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	4144	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4140	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	4300	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	4436	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	5052	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	2812	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4544	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4936	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4968	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4596	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4732	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4836	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	1864	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	4040	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	5076	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4572	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	4516	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2900	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	4684	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4504	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrMSBuild.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

description	pid	process	target process
PID 1404 wrote to memory of 828	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 1404 wrote to memory of 828	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 1404 wrote to memory of 828	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 1404 wrote to memory of 3664	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 1404 wrote to memory of 3664	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 1404 wrote to memory of 3664	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 1404 wrote to memory of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1404 wrote to memory of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1404 wrote to memory of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1404 wrote to memory of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1404 wrote to memory of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1404 wrote to memory of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1404 wrote to memory of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 804 wrote to memory of 4064	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4064	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4064	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 804 wrote to memory of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 4032 wrote to memory of 1948	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1948	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1948	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2120	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2120	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2120	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 3832	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 3832	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 3832	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 3944	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 3944	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 3944	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1332	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1332	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1332	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2440	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2440	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2440	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2100	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2100	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 2100	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1512	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1512	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1512	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1948 wrote to memory of 3868	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 1948 wrote to memory of 3868	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 1948 wrote to memory of 3868	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 1948 wrote to memory of 3544	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 1948 wrote to memory of 3544	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 1948 wrote to memory of 3544	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 1948 wrote to memory of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1948 wrote to memory of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1948 wrote to memory of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1948 wrote to memory of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1948 wrote to memory of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1948 wrote to memory of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1948 wrote to memory of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1248	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1248	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4032 wrote to memory of 1248	4032	MSBuild.exe	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
"C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FDD.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3664
- C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
  "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
    3⤵
    PID:4064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EDC.tmp"
        5⤵
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ACE.tmp"
        5⤵
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91E1.tmp"
        5⤵
        
        PID:3200
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:852
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F9C.tmp"
        5⤵
        
        PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBEC.tmp"
        5⤵
        
        PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECE2.tmp"
        5⤵
        
        PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF41.tmp"
        5⤵
        
        PID:360
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:636
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12A9.tmp"
        5⤵
        
        PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A29.tmp"
        5⤵
        
        PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D51.tmp"
        5⤵
        
        PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp600E.tmp"
        5⤵
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67FD.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:988
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8691.tmp"
        5⤵
        
        PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5052
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D29.tmp"
        5⤵
        
        PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA574.tmp"
        5⤵
        
        PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3876
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB91B.tmp"
        5⤵
        
        PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE66.tmp"
        5⤵
        
        PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4936
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD32B.tmp"
        5⤵
        
        PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE52C.tmp"
        5⤵
        
        PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4732
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE6.tmp"
        5⤵
        
        PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4836
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1813.tmp"
        5⤵
        
        PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36E6.tmp"
        5⤵
        
        PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3916
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4CFE.tmp"
        5⤵
        
        PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4092
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44E0.tmp"
        5⤵
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5076
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60E4.tmp"
        5⤵
        
        PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4572
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E4F.tmp"
        5⤵
        
        PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp914B.tmp"
        5⤵
        
        PID:4712
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2900
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB86A.tmp"
        5⤵
        
        PID:4592
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4684
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA1D.tmp"
        5⤵
        
        PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD57.tmp"
        5⤵
        
        PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3944
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB40.tmp"
        5⤵
        
        PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:4760
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4724
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12B0.tmp"
        5⤵
        
        PID:4800
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:5084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2453.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:3812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3645.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:2260
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53EF.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:796
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4764
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4204
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A36.tmp"
        5⤵
        
        PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:4704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B80.tmp"
        5⤵
        
        PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4960
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3156
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9472.tmp"
        5⤵
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87A1.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:2152
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4640
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA0E.tmp"
        5⤵
        
        PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC4B.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4816
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE12B.tmp"
        5⤵
        
        PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:1804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp443.tmp"
        5⤵
        
        PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:5080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15E7.tmp"
        5⤵
        
        PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      PID:4176
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4152
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp346B.tmp"
        5⤵
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:5004
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4244
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A57.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:644
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5774.tmp"
        5⤵
        
        PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:4408
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4656
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6CE1.tmp"
        5⤵
        
        PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:3720
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96A0.tmp"
        5⤵
        
        PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      PID:2808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4676
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D0B.tmp"
        5⤵
        
        PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:3180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpABDE.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:4300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC68.tmp"
        5⤵
        
        PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:2256
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4724
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD9C.tmp"
        5⤵
        
        PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4668
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD29F.tmp"
        5⤵
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:1928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF8E.tmp"
        5⤵
        
        PID:644
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:3620
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:828
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE51.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:4148
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5004
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2459.tmp"
        5⤵
        
        PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:1244
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D40.tmp"
        5⤵
        
        PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:5060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48BA.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:4264
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6664.tmp"
        5⤵
        
        PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:2068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8601.tmp"
        5⤵
        
        PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Suspicious use of SetThreadContext
      PID:3164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D37.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4160
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4124
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp988F.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:412
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE07.tmp"
        5⤵
        
        PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4380
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA3C.tmp"
        5⤵
        
        PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:1800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF110.tmp"
        5⤵
        
        PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B3C.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3C.tmp"
        5⤵
        
        PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:604
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27CF.tmp"
        5⤵
        
        PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D39.tmp"
        5⤵
        
        PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4352
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72D2.tmp"
        5⤵
        
        PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6BDD.tmp"
        5⤵
        
        PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:1828
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F65.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC289.tmp"
        5⤵
        
        PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:828
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:5028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEFA.tmp"
        5⤵
        
        PID:632
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4820
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2A6.tmp"
        5⤵
        
        PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5AE.tmp"
        5⤵
        
        PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:5032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4408
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16E2.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:224
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1BE4.tmp"
        5⤵
        
        PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:5096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21C0.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:412
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5060
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp324A.tmp"
        5⤵
        
        PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C0C.tmp"
        5⤵
        
        PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:2152
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp"
        5⤵
        
        PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3956
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8490.tmp"
        5⤵
        
        PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C00.tmp"
        5⤵
        
        PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:3192
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4432
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA44D.tmp"
        5⤵
        
        PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC022.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1220
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF24.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD754.tmp"
        5⤵
        
        PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF28D.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4676
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFABA.tmp"
        5⤵
        
        PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4E.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DD3.tmp"
        5⤵
        
        PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp"
        5⤵
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4264
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4916
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A0E.tmp"
        5⤵
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7BF1.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4392
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F0B.tmp"
        5⤵
        
        PID:2208
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4136
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87E7.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96FA.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:180
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3340
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:248
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB977.tmp"
        5⤵
        
        PID:4320
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:3956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1896
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC8E8.tmp"
        5⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:5024
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB37.tmp"
        5⤵
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6BE.tmp"
        5⤵
        
        PID:4148
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:180
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1320.tmp"
        5⤵
        
        PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1998.tmp"
        5⤵
        
        PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4616
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28DA.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:3568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp33A8.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:196
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4844
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C50.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:3340
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp"
        5⤵
        
        PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7583.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:5068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3252
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA26F.tmp"
        5⤵
        
        PID:2440
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:224
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4488
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A41.tmp"
        5⤵
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB80A.tmp"
        5⤵
        
        PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE005.tmp"
        5⤵
        
        PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF012.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:248
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31D.tmp"
        5⤵
        
        PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1116
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FEC.tmp"
        5⤵
        
        PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39DD.tmp"
        5⤵
        
        PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D1B.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3408
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BAF.tmp"
        5⤵
        
        PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3156
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:636
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4640
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C69.tmp"
        5⤵
        
        PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:644
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4400
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9849.tmp"
        5⤵
        
        PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8EE2.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3156
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:300
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4720
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB304.tmp"
        5⤵
        
        PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4680
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC12D.tmp"
        5⤵
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4184
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD310.tmp"
        5⤵
        
        PID:360
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEABE.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD5C.tmp"
        5⤵
        
        PID:4368
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:2796
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CBB.tmp"
        5⤵
        
        PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:3092
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2336
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp26EC.tmp"
        5⤵
        
        PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A96.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58CA.tmp"
        5⤵
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4736
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64FF.tmp"
        5⤵
        
        PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:636
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:580
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8614.tmp"
        5⤵
        
        PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp947B.tmp"
        5⤵
        
        PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4728
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA237.tmp"
        5⤵
        
        PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2192
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA24.tmp"
        5⤵
        
        PID:4252
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4104
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp"
        5⤵
        
        PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:744
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4692
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB84.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:3020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE56A.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:5112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2012.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4960
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4320
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp452E.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4160
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:156
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5422.tmp"
        5⤵
        
        PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:248
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F4D.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6662.tmp"
        5⤵
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F99.tmp"
        5⤵
        
        PID:180
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:2096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81E8.tmp"
        5⤵
        
        PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2712
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp960D.tmp"
        5⤵
        
        PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC616.tmp"
        5⤵
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD817.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE12F.tmp"
        5⤵
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:1248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:96
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB10.tmp"
        5⤵
        
        PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1975.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:3588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:580
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E43.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FDC.tmp"
        5⤵
        
        PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:800
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp512F.tmp"
        5⤵
        
        PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:224
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6832.tmp"
        5⤵
        
        PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87B0.tmp"
        5⤵
        
        PID:180
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4764
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7DAE.tmp"
        5⤵
        
        PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4080
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D2C.tmp"
        5⤵
        
        PID:3792
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:68
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7C6.tmp"
        5⤵
        
        PID:796
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE6B.tmp"
        5⤵
        
        PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE706.tmp"
        5⤵
        
        PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7DD.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF51.tmp"
        5⤵
        
        PID:4100
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B65.tmp"
        5⤵
        
        PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C2B.tmp"
        5⤵
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:796
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5409.tmp"
        5⤵
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5CB3.tmp"
        5⤵
        
        PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:3168
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C20.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:800
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA46B.tmp"
        5⤵
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2440
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D85.tmp"
        5⤵
        
        PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2B3.tmp"
        5⤵
        
        PID:4312
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8D9.tmp"
        5⤵
        
        PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4152
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD619.tmp"
        5⤵
        
        PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4148
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3340
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCAC.tmp"
        5⤵
        
        PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFAC.tmp"
        5⤵
        
        PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2320.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4220
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4200
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:580
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D6C.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4236
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp"
        5⤵
        
        PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:2952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A29.tmp"
        5⤵
        
        PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4216
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71FC.tmp"
        5⤵
        
        PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4672
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4420
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8209.tmp"
        5⤵
        
        PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:5108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA783.tmp"
        5⤵
        
        PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4520
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3752
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4284
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB1A.tmp"
        5⤵
        
        PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5052
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4176
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD6C1.tmp"
        5⤵
        
        PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE816.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4264
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:684
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp93A.tmp"
        5⤵
        
        PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18A.tmp"
        5⤵
        
        PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4372
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp250F.tmp"
        5⤵
        
        PID:4680
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F2D.tmp"
        5⤵
        
        PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:764
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5883.tmp"
        5⤵
        
        PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7766.tmp"
        5⤵
        
        PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4220
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E3E.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E1C.tmp"
        5⤵
        
        PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:1368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5004
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BA9.tmp"
        5⤵
        
        PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4772
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB885.tmp"
        5⤵
        
        PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:724
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD40C.tmp"
        5⤵
        
        PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA27.tmp"
        5⤵
        
        PID:180
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6B7.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4524
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1338.tmp"
        5⤵
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1840
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp26B1.tmp"
        5⤵
        
        PID:3348
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4284
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp418C.tmp"
        5⤵
        
        PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:68
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3016
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37C8.tmp"
        5⤵
        
        PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:1380
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65DC.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4888
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73E6.tmp"
        5⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B8A.tmp"
        5⤵
        
        PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:796
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:696
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D86.tmp"
        5⤵
        
        PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA0A.tmp"
        5⤵
        
        PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC60D.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7ED.tmp"
        5⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:2112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3240
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEB6.tmp"
        5⤵
        
        PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1476
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:728
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F5.tmp"
        5⤵
        
        PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4204
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp26DB.tmp"
        5⤵
        
        PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:5012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1648
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D74.tmp"
        5⤵
        
        PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4715.tmp"
        5⤵
        
        PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp582C.tmp"
        5⤵
        
        PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3300
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72C8.tmp"
        5⤵
        
        PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:728
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E61.tmp"
        5⤵
        
        PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2032
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1A6.tmp"
        5⤵
        
        PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3B7.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      Maps connected drives based on registry
      PID:4324
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD1D.tmp"
        5⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE92.tmp"
        5⤵
        
        PID:5036
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4788
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC1C.tmp"
        5⤵
        
        PID:408
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:636
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:492
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF3C0.tmp"
        5⤵
        
        PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
        
        "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:5028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
        5⤵
        
        PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Maps connected drives based on registry
      PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      Checks BIOS information in registry
      PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
      "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
      4⤵
      PID:4628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2eihrgvz\2eihrgvz.cmdline"
    3⤵
    PID:4632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAEE072B16B24908AABAEBC554182ACC.TMP"
      4⤵
      PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr.log

MD5
12557ab909651a6f99d3503d614d3562

SHA1
b86745768059a514bea3a438e1e96086af463246

SHA256
9589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd

SHA512
10cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
5e1074571d95bf344e192c12a424d1c2

SHA1
b1c5afe6b6af0995afe55378a1a69719fc0277c5

SHA256
272538d30ed151a489455e7e6752a516111fcfe238c0d35ebb2df7dfd7e2906e

SHA512
40757369ebcabeb73e323a8fd829b2bd582938ddca7345141ae795c834780c3d652be76092bf7140e6f6fddd8da618e95ceca5b173d1666281558c1ec24fe1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
5e1074571d95bf344e192c12a424d1c2

SHA1
b1c5afe6b6af0995afe55378a1a69719fc0277c5

SHA256
272538d30ed151a489455e7e6752a516111fcfe238c0d35ebb2df7dfd7e2906e

SHA512
40757369ebcabeb73e323a8fd829b2bd582938ddca7345141ae795c834780c3d652be76092bf7140e6f6fddd8da618e95ceca5b173d1666281558c1ec24fe1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
532e295b7dcbcc0283f17789b7f4f0e1

SHA1
e9e70f22cc6d2974a8c00fa655cd2948a0fae858

SHA256
2913df8db33623f8989e0d5607ef79607df99b576cae0c8d050610c55f83b167

SHA512
3e7fda9b3a015d9d12a62ec4d678db0b3efe01e72fcd6e33ad17f5a35479b52a33e1dc721e51eac8700de386f465af9cd02e6833f1d528c1772a7e2ed4eb0307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
144ec8437b4cc1f6cc178691cd71ea7f

SHA1
cd48dc904a4662e1918726bfc0f6852a885c6b09

SHA256
7968a2c59662554899a8dfaa8b7ce580755b2c720221ec9bf0f05ecadcbab501

SHA512
5d19dcaf9ccd7717756c14ddcaa0fd7e512f53cc202556aa5c57ae4101676aac1c80e22610999be6a352f0734f28c08a3858fb707d5dcde35ef74ab1ccf73e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3ff740792981e0bf7c6cfcd32005e729

SHA1
6761584deb9b4284d72eec4d5aab664fe8cb9c17

SHA256
f29a4fbc541c8d65c8323beda94dd7bd0b5cc194fd704bd6796daa3d8f1153dd

SHA512
75dc8b2e4d3245b89298b5caa903df0fa424f2d733d7f81e5141e2ff3e1da5220ebcba306fe1fdda64a4dca673579f509c67a0cbcfe3495630ffd7655f7fbed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e54b0cf5770bdfc81a23d61c02972817

SHA1
e426224513f505ebbc59e5099163051aa90e60ee

SHA256
817796caeab7141b4e3160429d568ddf63866423064281a2cbe358b428b0e5dd

SHA512
02cde88622e30bfcdb3f86709333e6572b8bdb4158bc529f57fe1e5e351671b8d4c71f3dad486e0467edaf0f248bf7bdfa15c67e638da5aa71e61fbce8dc1644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
cf7b50c11d5021e7fa7300dd2349331e

SHA1
c248a14b9cf639052565c83889fac3b9b47c9ef0

SHA256
92af2f9f237c9fe1b23918c4ca40f035948373acc12ef20ff9c44e8a6546d40b

SHA512
bbbaa6f9357cb19844b378f0460ea2793977b2fe0c8840a5ba30a3ae158ec80ead81a5c98e5cb6de83969172a51478f04a040b5d5a8a942c62dc565dd3725f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
cf7b50c11d5021e7fa7300dd2349331e

SHA1
c248a14b9cf639052565c83889fac3b9b47c9ef0

SHA256
92af2f9f237c9fe1b23918c4ca40f035948373acc12ef20ff9c44e8a6546d40b

SHA512
bbbaa6f9357cb19844b378f0460ea2793977b2fe0c8840a5ba30a3ae158ec80ead81a5c98e5cb6de83969172a51478f04a040b5d5a8a942c62dc565dd3725f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1468549c8314885c41252560f9bcecfb

SHA1
85bc34c58c5472633e71914ea8d2ed60c95591bc

SHA256
d2836cfd5ca73880eab67676dd1e14f7231010941993245d74e93c045ba61cee

SHA512
b4c75805bd02acb13a1e64cb3de34473173fb4541a6a4a96079dbaabba59e0f2f4a8279fa7dacd18f888aed5fbc292605449ad05426064f091d548c84efa8719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7c0677b0cf99eb397a10d66509a25f0f

SHA1
cacfd661e98ae23f909f23f70d3a6f1a988387aa

SHA256
a7becc94774517f01e64f9cff0edf18a4cd3c14629bc050dc5ba4aa5c5b4531b

SHA512
70c5e37c580246bb62d2b791f0258e924394934bcfa763d6b3372b4db5c315009bdbf46c754496863109567be60021802ef61bbce6423b398cc2afea5f5932b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
adf75f8a9a185d5c3e8217ab1dcb17a1

SHA1
4301406c9249ac84920c7ce9d05001f78c9c7110

SHA256
590f5000b05401f2b8ac27804e957d8dbf45d6cd785299afd318d2230a874790

SHA512
1aac4011d3040acdbcefba4bc4fc8255c490d14b90be716c7f1c8e3beeff2166fb52ddc7a8beee86b17d6861f0381bf18f322396f93510d73051e8747c9d2d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bfbeaa06b38a940ee6d230d2a7df3f4a

SHA1
992788116ee0a3f71a6d07330b167933db7f3b8a

SHA256
3db069ee8d1d460192c640ba1c49c0237aeb94545dfde017cfc189ac0d9114a7

SHA512
8d1b34b3a05272e0f7525fb256564d3c4c0aeb11470e1b79af282bb3deba7449c2e57d7c7f3d40f0d4097ce9a48c0aafef6145f964edc848f5e6993716859de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bfbeaa06b38a940ee6d230d2a7df3f4a

SHA1
992788116ee0a3f71a6d07330b167933db7f3b8a

SHA256
3db069ee8d1d460192c640ba1c49c0237aeb94545dfde017cfc189ac0d9114a7

SHA512
8d1b34b3a05272e0f7525fb256564d3c4c0aeb11470e1b79af282bb3deba7449c2e57d7c7f3d40f0d4097ce9a48c0aafef6145f964edc848f5e6993716859de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
93bca5e009800d7766ad0468a21e7c57

SHA1
d193bdbe1666a0b3bb5541c9f351403c801596f1

SHA256
ef42a4952105ea6e71257a0b8fe4912cfdec04eb21217631a6be4ed2a7c7d524

SHA512
4df881136c821235982f9b0efe8cd0737273d48b6a428569f31446a49589bca3801afa6c02e3ab44ccb548a70234cacf248026e9534ca78f1124b78dcd70fa97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
93bca5e009800d7766ad0468a21e7c57

SHA1
d193bdbe1666a0b3bb5541c9f351403c801596f1

SHA256
ef42a4952105ea6e71257a0b8fe4912cfdec04eb21217631a6be4ed2a7c7d524

SHA512
4df881136c821235982f9b0efe8cd0737273d48b6a428569f31446a49589bca3801afa6c02e3ab44ccb548a70234cacf248026e9534ca78f1124b78dcd70fa97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
86ce704e23638078cda4b37db60b519d

SHA1
6ccd75cac463c8d89136963fbcff0db861381c91

SHA256
62bc1965929ffe7cf8433e2f81f9e60cd7075384c72e1de5ded410f7a0b517f5

SHA512
8489e6303f214e836dbb15c7c8799870c1e17fdefa9380b3bf6bb0fa0ac571f6c8b77671bebc3096b34f73606a1323c0b77b093514f84b28dea559db615ef221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ed0c3c016a5bd724c5b4ec1112d0b7a2

SHA1
2f37152e49fb1c7ee1c6a464c132316dfaf416ea

SHA256
e1f5ab71a74fc948195a4edd51c554e998676bde8ee0710f7afb673fcd59c196

SHA512
736c7739a78bf5fadf74fc5638ab62406b43a8d2c2704d2fe012f282346150b77bd8d26f59b1be228d817b8fb4876fdb5e8bc3564d9fdf95d5629022d654b66a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0b3da9175975eaf8fe8a60a7498ccc37

SHA1
b99c561b47f8314843f816ebc4e348924e9fe010

SHA256
156248b1261b9a479aba9c2b569a1ad23cf4ca6df2755ebeec9e911650ffeff4

SHA512
ee8b7ce29c109259b63fc6148dbb16674ecb3efe73feb44a79e7468f6d6ee98d07071e03107f8608602e83b2922daad15c07ff3a6de7cfd80fda00c342fae5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
441f7f939e2ac6733a12a0178e1c6d7b

SHA1
b89ffdff8b0ee8dca9d15bfef56489412f69adfe

SHA256
3091faeac46c425e09920a099907180e81666eb867eee746df6fcd9305298caf

SHA512
db9f3c99c46eee986e9cc8c9ac1b03d5070c757b14ef857d5ba9a1d5e4e9decdfd1631eaf3457753123042ec6db6e0b6a4c6604622afbb997fccf68b751b68d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
441f7f939e2ac6733a12a0178e1c6d7b

SHA1
b89ffdff8b0ee8dca9d15bfef56489412f69adfe

SHA256
3091faeac46c425e09920a099907180e81666eb867eee746df6fcd9305298caf

SHA512
db9f3c99c46eee986e9cc8c9ac1b03d5070c757b14ef857d5ba9a1d5e4e9decdfd1631eaf3457753123042ec6db6e0b6a4c6604622afbb997fccf68b751b68d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
68549a4f9a8aa287703deb978efe6c79

SHA1
6743002c88e22c6c8b09aa8fbb2eca7e69e34adc

SHA256
076f82a96bd67e30d399903923136ee21fcab0961679855a48f252d45cef4f4f

SHA512
8a6d45e6e90f049a46321cbf310665ec2db5635e7b075659a38086931e6827ad916442f9b0bef31f158676635b717cec0d58bce74249af8d9e01c1160d66e835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
68549a4f9a8aa287703deb978efe6c79

SHA1
6743002c88e22c6c8b09aa8fbb2eca7e69e34adc

SHA256
076f82a96bd67e30d399903923136ee21fcab0961679855a48f252d45cef4f4f

SHA512
8a6d45e6e90f049a46321cbf310665ec2db5635e7b075659a38086931e6827ad916442f9b0bef31f158676635b717cec0d58bce74249af8d9e01c1160d66e835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b3c8464ad643c26bc645466c22af47f0

SHA1
f356cb4076175be4fa5659d94da1077bed87976a

SHA256
e502e941e9d1787a24f6d80bf44f898b1cba9981987716372aacac957cac107a

SHA512
f28022a9ad2ee1fbba4f23ee1320cefbbe58780a63777ebd0e5092b31c6d9e6095a171543576bdf82c5c3cecca2e35c7ffb75887dccdd930a9f7966db77edac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d0e88d8348389cd0a3ce54dc274825d3

SHA1
e8620a73a3917872163ce5707bc079b74b352db5

SHA256
6ddc21611bfffd49ac5aee999040f01ed120e32e758785540c82e72a71040051

SHA512
60b4a8e6b4cc8a5be7532d0549f26447bfd11d1d9dd6229e1518a0065d6a1829e0e481a3a9ec5a1c466b2947326b2775dc072e0a67254cf219c0d0233d9c5062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
64e0d67e4c984deedbf23f448a409381

SHA1
bd8d1167c83b3876c87d01fe00c477bc055fece0

SHA256
224229d541405c982fef77238766db877d4fff306adda47c1e81b077c6507722

SHA512
3379699a962e7697069c01fec1b56a53605ad67d1f610e25f635a557524afb5b53823748ac6a885856dadbc6ec70cca2a9bf779772d84b377558482df58f1b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
606ddd534423c37e0c3d6d710c5af0f4

SHA1
4b494c96e80df446c20a07daaf71e679a256effe

SHA256
aabb8cf57d34fe69de8f836a696ed31d16c61419be0f1b49e633635dd87b129e

SHA512
88e4cdfbe5634ec53ed1c2922a92f71ebe05582eea78ed2f8e55437c2906f464cedb532aaab0472cc773e64c544b1a0fc889bb2ccdfdc2718e6273be1c368085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4d1232fca7be62475a944af48c66d7e2

SHA1
ff84b4d943fcc2884c0732783822ba860437a988

SHA256
200ae8478475d4619181e2b9fd66fb43f217c5ecabced8e08929308d22372489

SHA512
1d196a2c4c7dad356eb676877124aa803f42ab8bc39afd21e906bd90751dc2a53d50d1140869fc48b6346de143d0b50075052f60358ca9d3f4bdebbff07e02dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fd2b817475be4d241d06f3691e0f7b70

SHA1
27058dd39ae49fd82f276b96201ea2d1d6ab65e0

SHA256
ac92250c65a1a89fec957129360d67d4b8d1a79b60c923665151f197c64c11f0

SHA512
520a1b0b6ec87c6d0dd312306dce46b7c2c6bd5893b44bdc81c27a8c9578320d2554149e424de8e0fc3e7a72a3b220a146396bcd194aa00620202b93c1472e5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
025a667404203270da7ee16135f40cf0

SHA1
b89ab23542c1198548d53b8d85bf253383ab4ac2

SHA256
d7547a90958891b78177383568a27870e3adacb4948d6b2e9a9f481912de48ac

SHA512
eff04b957328d301c569a9a79c4e87dc84c132a42f7e08481df706af21da5c872b5954d88e596980c1499e6fffdc0617c3ad72c18c0892f04a583e5601b859ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
5a0f875bbf681534dc27f551e70d4dc0

SHA1
9d2cd4ef4122a7e5c729aa37481b127fec4b9a1a

SHA256
be977839c7653d9807df75b4d0a64b10c38218cd89fd84f99cafb4fc0000d5d4

SHA512
03f57ee35fd4c37320619e5fa3017000c6d6c7b1971243bc446eb00ea2bae8d5fb95a5ea7400ab3c7ad7780b80cc176a7a49282808980baf213542606cdf063e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8afb326a378998fbcae738d339e4bda8

SHA1
ef2799184b036a988b5b105f96a710811895092a

SHA256
bfeeedcc73207159774cddd931889455aaa79c3c20ee5cb35e2828ec2cd38f18

SHA512
e386ebc672edb7909985ee087ef93203244b60aa33c0836bbe2b67b636168d32f5c896b5f60ab4d684db27e2c727dd65448ede87c38fdc1ec8cb90c6bcf89168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
5852188a34b69932d9bab6899fc5ac24

SHA1
c8f2b68881b69c5f4b5865df2b475174312be2b5

SHA256
dace2e592e513e10a386dfd471c670fd06c0f956b0658d3f46580a91e28f42cf

SHA512
10173bece315477ac03e6703453932ba2baccc0bd4530244c4e6ab899b06f8af62aa3f04d8e6c13cc088ac832f4d71d88bc219f49c48fd70d662d329be3e7548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
89058e3e992113ff84ee8e68abd7e216

SHA1
a5db926487fb0570dc2eb7030317974ad0eec871

SHA256
e4b4ec302a07bd369d24513f76dd3a5c23bffc0e6a3211559fddb3c1c146b124

SHA512
e519ef3c0ec3fc44cadbbbf13f577b8c92d79730ba6171f5d509cb45ea0cab0bfc1c32f33d35964a47f88ef95def13dd93ad91baeac4497a0e84bbbc4a08f979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d88b307a247896da2875aa77791694ca

SHA1
98d6c2727b80d1055b4223211addbf3b651ede96

SHA256
e016e8d56e09958c6b688b953c662f82eb13e6a6a1595c0d0ad52f5fc5b32a4c

SHA512
bf8331720da0173343f2e932519543faeb442a6cef0f91968ecb89a54366ecc010f71d03e072a291a4e2f87c3cb8135a25654cd83d30c7a9341f5dd31df58858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3266eac9ab75e16dcd9141685671508f

SHA1
75870823be921b9fe8c68a1603b3d33cc25b8ee0

SHA256
5071e88b43b5cee812f74c4cc537ebf52025207ebd5256279dd8e1f1c3b773ba

SHA512
4eac41d088776e947ed16e7044ee2ceeb7804f5fa13f1e3593a4d603bd2c5748bc1da106895a260f1b1ce53734905565e8d5f090cbef1850a1c9218b6b7a7cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
396ebba219033a62ce651877fe399af4

SHA1
6fc2e11ad72e71425cc585518a64472ba8f087d2

SHA256
d5d8eba1cf48d19cc0260adcfa3374b61bb1eef4ddb8daa681a10c4fc4077bea

SHA512
f79ea41006884dbd71e115d5760e23888994805c4f67a2d9d52d111b0d9f6302d0f4ddb4f958e92943250610afe2f7903c52aa3f3c5fb0fd051ca8844cb45130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
396ebba219033a62ce651877fe399af4

SHA1
6fc2e11ad72e71425cc585518a64472ba8f087d2

SHA256
d5d8eba1cf48d19cc0260adcfa3374b61bb1eef4ddb8daa681a10c4fc4077bea

SHA512
f79ea41006884dbd71e115d5760e23888994805c4f67a2d9d52d111b0d9f6302d0f4ddb4f958e92943250610afe2f7903c52aa3f3c5fb0fd051ca8844cb45130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
484158e95d785cc8661ce9d41ed5b9d0

SHA1
9eb361ab29519a82db93b2542ac0d4647a59b886

SHA256
cc6ef3f0d26c1c2928fc60def185f4f2898a76f4249470c9d4fb21e1e864f0be

SHA512
3ba21c778245d8effae453edbfd1cbc0969833010dc98dce70e95bcd75473ce5d45a32ceb6e8970c55de5ba63fcb97b95b8d827c3908f4a796271c6130cf334c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
059ecdb85844dfa5906c38ccadc7e6fb

SHA1
1262dcc44066553073261d9a8d3bd3d73a6fac69

SHA256
a399460669ebeb7b7bf0908f8001fa067009aa9b37c96ad1ae410a194e9f09b9

SHA512
53735be7dd546d5a4dca641da7f94e5fcc2f63df9aba75c95dd0264ff31f7b02f7588f5e496f3b9ef33f7140bf6ba968d2e52ffd85bc42a812b4ce1a821cf660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
023b4e804fb627d79b1a936c7c601146

SHA1
7198789ef31376a8a4a3a1b788a290a859e098dc

SHA256
f793e8764121cccd15c3c9070a56dd238ae49c515a945a6533849f7da16121c2

SHA512
63dcf16d297ed7882a2cfb1b7767289834f0408b693a450879f50831de5ab3cd095132a369cc00da7b5f57947a6e7163a392a19dfccb0bbd9e353a64ebc16212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4fa4ae3fd63b929fa70aa0b11ecc6dbc

SHA1
137d556bce44411d713337da91e46fe0cf5a11a7

SHA256
ae4a3cd5a2ee0c2f963f97d3d42f67a6f88cb8d837d861e74a39d9cb50b6fa52

SHA512
1ad5866ea81aac3b801ce9532475146ae6b2e2eaff6c0c54fdab0a95e4547c38bcd2ba880e54f7517f076f75eebce956309c0bf9fb8d575b4aa52bb40c53ff65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d231851efda1463f1ebd4d3ae1dc0b32

SHA1
a1967e449544e2269d32d68c703dd16663dd584d

SHA256
f048f77ad495f730a35c0ddbe1af8ab07ccb3d4e81d285a762a36ecfdcb26714

SHA512
cde226f35f66a148187d989d31007bc11de25a4e59ed26ad53c9b97486be8663cf55d672c1f7aff4f861b98d2c3caaccfb81800e46c6928d98ad9ba250cbff0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
63543e0914ed2edcb3b9824d9f31b23a

SHA1
c6359a457258f289c2f938f3b5e09287af876dd1

SHA256
09968131164a421e6af9c58a12c80d1409f996df18cefe964f0c84500fbdc217

SHA512
c7a7ddbecc3ef96d980ec62ce34ac9ea8c6fdfec071da934ab9f67a3ae394307a5621d522d18aeab7b4d79e2bb74a436595d3bb0911c495f030244f43b259e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1dbcb69e7cbc1931ecf7cf829f31c244

SHA1
bcb0cf13ed8f1361d2e3f26ea13c32b4882a4c5e

SHA256
3b96450f1ed692224030f0a74636907e13cda1fa99b1d1b42e20c682b983d756

SHA512
e1e170fc2c4bb38619754818a7d914be558f716eeac60b8979add4c758d05f18f85819033bcdf4bb923f42f1d6a3d8be0d7b8c3d94fb5782f5646fd8ea5b6104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
09e32495a6de27d414802c0487ecf7e1

SHA1
5173412bd9acf6c27fb607ba0d83f41af06a27b8

SHA256
86c75b8b2ecf1ba2b9ae4ae87b67fa93d66ba4318977c6a3a368ae300db645f1

SHA512
5486b736af86312c0edf8c817d71fcc942ae6556f0d8ee7dbb93b0f393d535c45790cb1b4c35403359cc24caed80118956e440bbe7414b897c848e822bf711b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a81556651de73051c90ae6cc8b1cd738

SHA1
05921a627604288e15593f19bf9d8795e8050f30

SHA256
3eab155036601abd84b370ab12823458dae98de1575d556990f10c2c64c1467b

SHA512
16afd56c60b223eaa525a204c1e72fa2578c593db44490e0474d49e1bf5480354101252f5c72f2c1bea08e79564fed960c25fc8b247cd4d2d0bc0e09d2240449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a81556651de73051c90ae6cc8b1cd738

SHA1
05921a627604288e15593f19bf9d8795e8050f30

SHA256
3eab155036601abd84b370ab12823458dae98de1575d556990f10c2c64c1467b

SHA512
16afd56c60b223eaa525a204c1e72fa2578c593db44490e0474d49e1bf5480354101252f5c72f2c1bea08e79564fed960c25fc8b247cd4d2d0bc0e09d2240449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9fae15014f40e834bbe0701229990b98

SHA1
ee5980d58b73c0ec734e9ce5326617c072f2be66

SHA256
e8d8eb49756f96c67fd4af087093b481ea14ba1d3162712c2751a3c717978137

SHA512
7168e12d6d0fdb941939739320964055c5fb2eb697647e402f270ce24fe41aca11efca50fe93e80dd5e31b2e6025040cc141dbe12cfe67f0a30c1aa0ea030e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bf1d8cb223c53c094e33c523de28b31b

SHA1
ebeb869650c0d2087fed323ff2cff38cc1002249

SHA256
6b951eae48202a89a6ee1f88ff60696ef382d7f1dcce4351028acf66a74bd3ac

SHA512
098418d0a1333546765b3a50cd7152323bdf04b169198fc88fa99bc3724ba697a02afcfcba27eaea2450ce05143e0fd869fe4d01b7fa5daf66d5d42d1da24751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
91bbd70b02c732c9a5428180fefc9364

SHA1
1a2c9eeeddb47ddeb876201ea9465a608dc1c697

SHA256
856a5532bdf1e4f2b3b283fe7e8764b9adae93392005b025537557c7d8467373

SHA512
2030aaf70f4c20c0ad1f07e329dc8e37cca90155a9f61e1cdd42d6e93dfb02128aeb6ee1dc748f9f237981074719e2c05c015cc12fa1d52554d6356c460845c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1056b1c8e19ffd0e9bc0f9c39bcef480

SHA1
e7b6a2aefc6cf99d66c72056822d2127f80b0ba5

SHA256
570bdc1c885bc7d30e21b332538a3bc05fb3dd43720c75edb49f30a693482def

SHA512
6104cccf1c868f4ead9c8da891fe7d0a5c46c15689e081f900928f56a77b4e684105793724507f5258a1583d6ec8edbd06e48787879c7b895d26a9097c39ba71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a6dd734cad582f1c040ede121ec9c36c

SHA1
3698b391d5dee05960db3a54f750942d86cb48a8

SHA256
baf126e097b2945488f3ddc5480672a9a3b258ae3057cff33dc52a140e8c8bc4

SHA512
345ad1fd55ae9a57783358f1a0f90bf5f2b27425e5e016c027415932d9106cfc056814cc6acbd865d3b735c3b892f6fa59144a30ec1a9b191fa73afd8f7566a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2eeae8df918c1d7b39a64b9b03cd7dd2

SHA1
a0e4ee7c503192cb009a8f66e520ab9e358adcb4

SHA256
6a233cca3c5996ce4bf75ed482b60be7f436db96978e9be924ac9b529a99cf23

SHA512
3ee28f31d588ae94b177eeba9d631a6011c6c64a5d286ea9326e29b395e6530af98420d3c08351b856d39f5da5379f48d88dc96d8ab65defcec89b39f29f5009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bb6cab32b495d7496c8e05a83473be1c

SHA1
bc661b9f014f43296dbe1db0d31f7a658389ea13

SHA256
a0f081fdefe4d95ad71f827e373602583f9d2a65942a48b2db244c3e1a63dfa0

SHA512
cafbec09ee5027256234b931dffa0665e369ee9ec521b66c3614814af920dd80c85112c0f8f54012c6b4566fc9e226e07495f33d63589d2d7f894542c299c4d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
04a1c254cdea7ea35e95fc499f28be32

SHA1
5510e6e9a7a8a49445215af79e520ac06b84a22e

SHA256
bdb606e04fae983fb948964cd464d61f727206fbb4e15f904891c51dec254eec

SHA512
0058b57f1f35888417ef944cd8d6f91f437ea00effc94aecf42bcf3022a82d374076360283efe41f7d6f36cd785bdeafa814119993eb713cbc42a8178ec744af

Download Submit
C:\Users\Admin\AppData\Local\Temp\2eihrgvz\2eihrgvz.0.vb

MD5
3d2de6b3db53aa9b5f4117a0576b8f71

SHA1
90f5bfe243ce4a359a37b65f27217e556864bdd6

SHA256
9d2f88a50f32712459cc23bf31bc33ff78997c1dff63edcd8ab5c7257c000d7a

SHA512
3586313be7a87d9f6d389cdbf9c7981788b379028e944c6a2f5cab15d48c74b36a3afb709c7992cdc7b87dc6bc488a50c8008b4110fe84893995c41ed6348c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\2eihrgvz\2eihrgvz.cmdline

MD5
4d579f8528d76ac95ea4456c3d9a45d8

SHA1
9eeed31a74088bd4ecb2ee84353cdbecfdededed

SHA256
b4366f46f73b97b8d0ce75738915451f7a57dab42de57457431bc41a2b27b067

SHA512
900e1c82b8f7cd5f5f5dccd1665a298befecb54a49770f683483feaa9bd911db7f9b71b69c13fff366eb0102b0eae3eacb6594243ebec13aad73088ddf4ccc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCF6.tmp

MD5
369458a485c06fa8d05228ae920e90bf

SHA1
e683511620811b31def7dce6def638f0fb67db22

SHA256
795cb387b349627323d7b8cdfb9c434db8bdba6499be1d4f7f7b600f2f2734d4

SHA512
25152c91376d6255aa503e39ad14b14f2f6f3cae87e3821ba6d399385f5efa1a6f7a7252981d8ff3c29802d94af29349e56db6838278ed18a1cf35c60ee82285

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAEE072B16B24908AABAEBC554182ACC.TMP

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
\Users\Admin\AppData\Local\Temp\IconLib.dll

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\AppData\Local\Temp\IconLib.dll

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
memory/360-1892-0x0000000000000000-mapping.dmp

Download
memory/636-800-0x0000000007860000-0x0000000007D5E000-memory.dmp

Filesize
5.0MB

Download
memory/636-772-0x0000000000000000-mapping.dmp

Download
memory/804-386-0x0000000005E80000-0x0000000005E83000-memory.dmp

Filesize
12KB

Download
memory/804-403-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

Filesize
120KB

Download
memory/804-385-0x0000000005E70000-0x0000000005E78000-memory.dmp

Filesize
32KB

Download
memory/804-402-0x0000000005EA0000-0x0000000005EB8000-memory.dmp

Filesize
96KB

Download
memory/804-225-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/804-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/804-133-0x0000000000408DCE-mapping.dmp

Download
memory/828-138-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/828-362-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/828-124-0x0000000000000000-mapping.dmp

Download
memory/828-130-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/828-144-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/828-165-0x000000007F0A0000-0x000000007F0A1000-memory.dmp

Filesize
4KB

Download
memory/828-152-0x00000000089C0000-0x00000000089F3000-memory.dmp

Filesize
204KB

Download
memory/828-135-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/828-129-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/828-166-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/828-164-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/828-143-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/828-128-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/828-140-0x00000000066B2000-0x00000000066B3000-memory.dmp

Filesize
4KB

Download
memory/828-159-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/828-141-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/828-224-0x00000000066B3000-0x00000000066B4000-memory.dmp

Filesize
4KB

Download
memory/828-142-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/828-368-0x0000000008E60000-0x0000000008E61000-memory.dmp

Filesize
4KB

Download
memory/852-1029-0x0000000000408DCE-mapping.dmp

Download
memory/852-1202-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/956-2073-0x0000000000408DCE-mapping.dmp

Download
memory/988-2106-0x0000000000408DCE-mapping.dmp

Download
memory/1160-1948-0x0000000006F42000-0x0000000006F43000-memory.dmp

Filesize
4KB

Download
memory/1160-1926-0x0000000000000000-mapping.dmp

Download
memory/1160-1947-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/1160-1957-0x0000000006F43000-0x0000000006F44000-memory.dmp

Filesize
4KB

Download
memory/1220-747-0x00000000075F0000-0x0000000007AEE000-memory.dmp

Filesize
5.0MB

Download
memory/1220-739-0x0000000000000000-mapping.dmp

Download
memory/1240-2090-0x0000000000000000-mapping.dmp

Download
memory/1248-531-0x0000000000000000-mapping.dmp

Download
memory/1248-591-0x0000000007C90000-0x000000000818E000-memory.dmp

Filesize
5.0MB

Download
memory/1332-431-0x0000000000000000-mapping.dmp

Download
memory/1332-439-0x0000000007320000-0x000000000781E000-memory.dmp

Filesize
5.0MB

Download
memory/1404-122-0x0000000008940000-0x0000000008979000-memory.dmp

Filesize
228KB

Download
memory/1404-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/1404-123-0x00000000080A0000-0x00000000080AA000-memory.dmp

Filesize
40KB

Download
memory/1404-125-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/1404-121-0x0000000007E40000-0x0000000007E5D000-memory.dmp

Filesize
116KB

Download
memory/1404-120-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/1404-119-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/1404-118-0x0000000007CC0000-0x00000000081BE000-memory.dmp

Filesize
5.0MB

Download
memory/1404-117-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/1404-116-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/1512-466-0x0000000007020000-0x000000000751E000-memory.dmp

Filesize
5.0MB

Download
memory/1512-458-0x0000000000000000-mapping.dmp

Download
memory/1600-1046-0x0000000007242000-0x0000000007243000-memory.dmp

Filesize
4KB

Download
memory/1600-1146-0x0000000007243000-0x0000000007244000-memory.dmp

Filesize
4KB

Download
memory/1600-1021-0x0000000000000000-mapping.dmp

Download
memory/1600-1044-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/1600-1144-0x000000007E6B0000-0x000000007E6B1000-memory.dmp

Filesize
4KB

Download
memory/1620-803-0x0000000006CD3000-0x0000000006CD4000-memory.dmp

Filesize
4KB

Download
memory/1620-802-0x000000007F380000-0x000000007F381000-memory.dmp

Filesize
4KB

Download
memory/1620-767-0x0000000006CD2000-0x0000000006CD3000-memory.dmp

Filesize
4KB

Download
memory/1620-750-0x0000000000000000-mapping.dmp

Download
memory/1620-766-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/1948-392-0x0000000000000000-mapping.dmp

Download
memory/1948-401-0x0000000001910000-0x0000000001911000-memory.dmp

Filesize
4KB

Download
memory/2100-449-0x0000000000000000-mapping.dmp

Download
memory/2100-457-0x0000000006EF0000-0x00000000073EE000-memory.dmp

Filesize
5.0MB

Download
memory/2120-404-0x0000000000000000-mapping.dmp

Download
memory/2120-412-0x00000000076C0000-0x0000000007BBE000-memory.dmp

Filesize
5.0MB

Download
memory/2156-2065-0x0000000000000000-mapping.dmp

Download
memory/2440-440-0x0000000000000000-mapping.dmp

Download
memory/2440-448-0x0000000007560000-0x0000000007A5E000-memory.dmp

Filesize
5.0MB

Download
memory/2772-604-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2772-478-0x0000000000408DCE-mapping.dmp

Download
memory/2796-2023-0x0000000000000000-mapping.dmp

Download
memory/2812-1925-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2812-1915-0x0000000000000000-mapping.dmp

Download
memory/2992-2103-0x0000000000000000-mapping.dmp

Download
memory/3200-1027-0x0000000000000000-mapping.dmp

Download
memory/3224-1971-0x0000000000000000-mapping.dmp

Download
memory/3224-1991-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/3256-2071-0x0000000000000000-mapping.dmp

Download
memory/3256-1003-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3256-758-0x0000000000408DCE-mapping.dmp

Download
memory/3408-1741-0x0000000000000000-mapping.dmp

Download
memory/3408-1977-0x0000000000000000-mapping.dmp

Download
memory/3544-476-0x0000000000000000-mapping.dmp

Download
memory/3544-756-0x0000000000000000-mapping.dmp

Download
memory/3664-131-0x0000000000000000-mapping.dmp

Download
memory/3832-421-0x00000000078E0000-0x0000000007DDE000-memory.dmp

Filesize
5.0MB

Download
memory/3832-413-0x0000000000000000-mapping.dmp

Download
memory/3868-481-0x0000000006832000-0x0000000006833000-memory.dmp

Filesize
4KB

Download
memory/3868-518-0x0000000006833000-0x0000000006834000-memory.dmp

Filesize
4KB

Download
memory/3868-516-0x000000007F070000-0x000000007F071000-memory.dmp

Filesize
4KB

Download
memory/3868-479-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/3868-469-0x0000000000000000-mapping.dmp

Download
memory/3940-2031-0x0000000000408DCE-mapping.dmp

Download
memory/3944-430-0x00000000079C0000-0x0000000007EBE000-memory.dmp

Filesize
5.0MB

Download
memory/3944-422-0x0000000000000000-mapping.dmp

Download
memory/3980-1979-0x0000000000408DCE-mapping.dmp

Download
memory/4032-387-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4032-388-0x0000000000403DAA-mapping.dmp

Download
memory/4140-1436-0x0000000007440000-0x000000000793E000-memory.dmp

Filesize
5.0MB

Download
memory/4140-1376-0x0000000000000000-mapping.dmp

Download
memory/4144-1229-0x0000000007590000-0x0000000007A8E000-memory.dmp

Filesize
5.0MB

Download
memory/4144-1204-0x0000000000000000-mapping.dmp

Download
memory/4184-1808-0x0000000004792000-0x0000000004793000-memory.dmp

Filesize
4KB

Download
memory/4184-1771-0x0000000000000000-mapping.dmp

Download
memory/4184-1805-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4184-1914-0x0000000004793000-0x0000000004794000-memory.dmp

Filesize
4KB

Download
memory/4196-1037-0x0000000000000000-mapping.dmp

Download
memory/4196-1047-0x0000000007BF0000-0x00000000080EE000-memory.dmp

Filesize
5.0MB

Download
memory/4244-1936-0x0000000000000000-mapping.dmp

Download
memory/4300-1524-0x0000000000000000-mapping.dmp

Download
memory/4300-1567-0x0000000007310000-0x000000000780E000-memory.dmp

Filesize
5.0MB

Download
memory/4320-1968-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/4320-1939-0x0000000000408DCE-mapping.dmp

Download
memory/4332-1946-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4332-1897-0x0000000000408DCE-mapping.dmp

Download
memory/4436-1690-0x0000000000000000-mapping.dmp

Download
memory/4436-1719-0x00000000071C0000-0x00000000076BE000-memory.dmp

Filesize
5.0MB

Download
memory/4544-1958-0x0000000000000000-mapping.dmp

Download
memory/4544-1967-0x0000000006FF0000-0x00000000074EE000-memory.dmp

Filesize
5.0MB

Download
memory/4596-2053-0x0000000000000000-mapping.dmp

Download
memory/4632-1456-0x0000000000000000-mapping.dmp

Download
memory/4632-1526-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4664-1644-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4664-1912-0x0000000007193000-0x0000000007194000-memory.dmp

Filesize
4KB

Download
memory/4664-1576-0x0000000000000000-mapping.dmp

Download
memory/4664-1646-0x0000000007192000-0x0000000007193000-memory.dmp

Filesize
4KB

Download
memory/4732-1309-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/4732-1143-0x0000000000000000-mapping.dmp

Download
memory/4732-1174-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/4732-1177-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/4732-1264-0x000000007E750000-0x000000007E751000-memory.dmp

Filesize
4KB

Download
memory/4864-1153-0x0000000000000000-mapping.dmp

Download
memory/4916-1403-0x0000000004362000-0x0000000004363000-memory.dmp

Filesize
4KB

Download
memory/4916-1528-0x0000000004363000-0x0000000004364000-memory.dmp

Filesize
4KB

Download
memory/4916-1480-0x000000007E410000-0x000000007E411000-memory.dmp

Filesize
4KB

Download
memory/4916-1359-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/4916-1332-0x0000000000000000-mapping.dmp

Download
memory/4924-1493-0x0000000000000000-mapping.dmp

Download
memory/4936-2012-0x0000000000000000-mapping.dmp

Download
memory/4944-1313-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/4944-1159-0x0000000000408DCE-mapping.dmp

Download
memory/4960-1505-0x0000000000408DCE-mapping.dmp

Download
memory/4960-1684-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/4968-2001-0x0000000000000000-mapping.dmp

Download
memory/4972-2029-0x0000000000000000-mapping.dmp

Download
memory/5052-1853-0x0000000000000000-mapping.dmp

Download
memory/5052-1893-0x0000000007570000-0x0000000007A6E000-memory.dmp

Filesize
5.0MB

Download
memory/5084-1504-0x0000000000000000-mapping.dmp

Download
memory/5092-1746-0x0000000000408DCE-mapping.dmp

Download
memory/5092-1896-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1404 set thread context of 804	1404	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 804 set thread context of 4032	804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	MSBuild.exe
PID 1948 set thread context of 2772	1948	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2120 set thread context of 3256	2120	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 3832 set thread context of 852	3832	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 3944 set thread context of 4944	3944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2440 set thread context of 4960	2440	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1512 set thread context of 5092	1512	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1248 set thread context of 4332	1248	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 636 set thread context of 4320	636	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4196 set thread context of 3980	4196	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4144 set thread context of 3940	4144	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4140 set thread context of 956	4140	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4300 set thread context of 988	4300	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4436 set thread context of 4136	4436	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 5052 set thread context of 4624	5052	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2812 set thread context of 3180	2812	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4544 set thread context of 3876	4544	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4936 set thread context of 2772	4936	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4968 set thread context of 2332	4968	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4596 set thread context of 4132	4596	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4732 set thread context of 2196	4732	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4836 set thread context of 3564	4836	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4944 set thread context of 2332	4944	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1864 set thread context of 4092	1864	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4040 set thread context of 3916	4040	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 5076 set thread context of 4232	5076	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4572 set thread context of 4188	4572	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4516 set thread context of 3196	4516	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2900 set thread context of 2816	2900	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4684 set thread context of 4364	4684	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4504 set thread context of 4040	4504	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4532 set thread context of 4640	4532	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4760 set thread context of 4756	4760	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 5084 set thread context of 4636	5084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 3812 set thread context of 4844	3812	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2260 set thread context of 4640	2260	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4704 set thread context of 4740	4704	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 796 set thread context of 4036	796	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4784 set thread context of 4700	4784	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4960 set thread context of 2096	4960	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2152 set thread context of 4640	2152	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4976 set thread context of 4920	4976	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4816 set thread context of 3156	4816	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1804 set thread context of 4232	1804	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 5080 set thread context of 2288	5080	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4176 set thread context of 5092	4176	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 5004 set thread context of 2904	5004	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4440 set thread context of 2892	4440	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4408 set thread context of 4656	4408	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2808 set thread context of 4676	2808	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 3720 set thread context of 4400	3720	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 3180 set thread context of 3380	3180	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4300 set thread context of 1044	4300	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4668 set thread context of 4700	4668	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2256 set thread context of 4792	2256	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1928 set thread context of 4648	1928	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 3620 set thread context of 1504	3620	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4148 set thread context of 4544	4148	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1244 set thread context of 3832	1244	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 5060 set thread context of 4844	5060	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 4264 set thread context of 2376	4264	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 3164 set thread context of 4928	3164	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2068 set thread context of 1728	2068	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr