umbral | b9395c6223dd34cdd95dd5c298eb609a806b12f2f2bcf9b0932b47ab564ee591

Analysis

max time kernel
961s
max time network
961s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.exe
Size

192KB
MD5

066f7f594bf6f254748bc19562dd1bc3
SHA1

313883f4a7fbfc3c60b153492aeefb927c5d5694
SHA256

9398c6385a5246fe4b86b0f247ddb8a93a9c326389dabef1b96bd65af09b360e
SHA512

04f0c82938dee7a790876ab39282c36eda0c6de11a337d93f728c07be6ff5997605c6a9bba886b94091c313795ee19bf96d65ca9ac1e1d62eeab7acd33b6afca
SSDEEP

6144:i0mlbUZ0lzEhoPkoaHOw4D/dB8H2HSZRw5:0aCESPkpHNi/bX

Score

10^/10

umbral spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1218605453374914620/OdDYjKWd2x_sgrT_0JmzryiFvoGTz03pvb7F84neOCAte6YtS3TcUiq7-D1K38B9s0T8

Signatures

Detect Umbral payload 6 IoCs

resource	yara_rule
behavioral8/files/0x000300000001e9a0-4.dat	family_umbral
behavioral8/memory/228-13-0x00000185A8480000-0x00000185A84C0000-memory.dmp	family_umbral
behavioral8/files/0x000300000001e9a0-54.dat	family_umbral
behavioral8/memory/4052-78-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp	family_umbral
behavioral8/memory/4016-92-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp	family_umbral
behavioral8/files/0x000300000001e9a0-191.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Blocklisted process makes network request 4 IoCs

flow	pid	Process
149	3964	Process not Found
221	1248	Process not Found
223	1248	Process not Found
225	1248	Process not Found

Drops file in Drivers directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NursultanStart.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Process not Found

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
228	NursultanStart.exe
4784	start.exe
4052	NursultanStart.exe
3776	start.exe
4412	NursultanStart.exe
4600	start.exe
5112	NursultanStart.exe
5068	start.exe
4016	NursultanStart.exe
4168	start.exe
752	NursultanStart.exe
1632	start.exe
724	NursultanStart.exe
3524	start.exe
4896	start.exe
2908	NursultanStart.exe
3536	NursultanStart.exe
4292	start.exe
3984	NursultanStart.exe
5076	start.exe
548	NursultanStart.exe
4060	start.exe
4940	NursultanStart.exe
1332	start.exe
3120	NursultanStart.exe
4672	start.exe
3356	NursultanStart.exe
4764	start.exe
1632	NursultanStart.exe
3796	start.exe
4088	NursultanStart.exe
2192	start.exe
2988	NursultanStart.exe
1044	start.exe
1868	NursultanStart.exe
1608	start.exe
1040	NursultanStart.exe
2976	start.exe
3084	NursultanStart.exe
4272	start.exe
4220	NursultanStart.exe
2892	start.exe
1784	NursultanStart.exe
3908	start.exe
4608	NursultanStart.exe
4708	start.exe
3012	NursultanStart.exe
3356	start.exe
1800	NursultanStart.exe
4036	start.exe
3420	NursultanStart.exe
1856	start.exe
4968	NursultanStart.exe
1044	start.exe
4692	NursultanStart.exe
1532	start.exe
4680	NursultanStart.exe
2972	start.exe
4220	NursultanStart.exe
2620	start.exe
3172	NursultanStart.exe
3852	start.exe
4380	NursultanStart.exe
1800	start.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
44	discord.com
98	discord.com
152	discord.com
164	discord.com
206	discord.com
207	discord.com
170	discord.com
279	discord.com
378	discord.com
116	discord.com
214	discord.com
321	discord.com
244	discord.com
285	discord.com
286	discord.com
333	discord.com
366	discord.com
232	discord.com
255	discord.com
360	discord.com
373	discord.com
105	discord.com
158	discord.com
339	discord.com
355	discord.com
194	discord.com
213	discord.com
243	discord.com
346	discord.com
43	discord.com
129	discord.com
327	discord.com
367	discord.com
390	discord.com
104	discord.com
115	discord.com
280	discord.com
140	discord.com
261	discord.com
340	discord.com
384	discord.com
122	discord.com
256	discord.com
267	discord.com
322	discord.com
128	discord.com
218	discord.com
238	discord.com
385	discord.com
200	discord.com
315	discord.com
328	discord.com
183	discord.com
219	discord.com
291	discord.com
225	discord.com
372	discord.com
134	discord.com
146	discord.com
159	discord.com
297	discord.com
24	discord.com
77	discord.com
88	discord.com

Looks up external IP address via web service 49 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
144	ip-api.com
337	ip-api.com
192	ip-api.com
211	ip-api.com
235	ip-api.com
247	ip-api.com
271	ip-api.com
295	ip-api.com
178	ip-api.com
364	ip-api.com
376	ip-api.com
93	ip-api.com
283	ip-api.com
86	ip-api.com
204	ip-api.com
241	ip-api.com
277	ip-api.com
370	ip-api.com
289	ip-api.com
319	ip-api.com
156	ip-api.com
222	ip-api.com
253	ip-api.com
265	ip-api.com
102	ip-api.com
168	ip-api.com
150	ip-api.com
186	ip-api.com
388	ip-api.com
75	ip-api.com
113	ip-api.com
126	ip-api.com
162	ip-api.com
301	ip-api.com
353	ip-api.com
120	ip-api.com
132	ip-api.com
358	ip-api.com
307	ip-api.com
325	ip-api.com
30	ip-api.com
138	ip-api.com
259	ip-api.com
313	ip-api.com
343	ip-api.com
198	ip-api.com
229	ip-api.com
331	ip-api.com
382	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 50 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1688	Process not Found
4304	Process not Found
2268	Process not Found
216	Process not Found
432	Process not Found
3180	Process not Found
3204	Process not Found
2644	Process not Found
4816	Process not Found
4924	Process not Found
4240	Process not Found
4828	Process not Found
3476	Process not Found
2600	Process not Found
3488	wmic.exe
3180	Process not Found
3640	Process not Found
5052	Process not Found
4884	Process not Found
1268	Process not Found
840	Process not Found
5088	Process not Found
848	Process not Found
3732	Process not Found
468	Process not Found
3412	Process not Found
1100	Process not Found
2476	Process not Found
5076	Process not Found
2980	wmic.exe
1688	Process not Found
4188	Process not Found
3636	Process not Found
4424	Process not Found
2988	wmic.exe
1324	Process not Found
1144	Process not Found
4856	Process not Found
3452	Process not Found
1620	Process not Found
3500	Process not Found
544	Process not Found
3624	Process not Found
2436	Process not Found
1744	Process not Found
3236	Process not Found
2416	Process not Found
4612	Process not Found
1140	Process not Found
2880	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	powershell.exe
396	powershell.exe
2228	powershell.exe
2228	powershell.exe
5036	powershell.exe
5036	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
760	powershell.exe
760	powershell.exe
760	powershell.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
4360	powershell.exe
4360	powershell.exe
4360	powershell.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
3880	powershell.exe
3880	powershell.exe
3880	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4288	powershell.exe
4288	powershell.exe
4288	powershell.exe
1244	powershell.exe
1244	powershell.exe
1244	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
4876	powershell.exe
4876	powershell.exe
5052	powershell.exe
5052	powershell.exe
2252	powershell.exe
2252	powershell.exe
3640	powershell.exe
3640	powershell.exe
384	Process not Found
384	Process not Found
3908	Process not Found
3908	Process not Found
2288	Process not Found
2288	Process not Found
1776	Process not Found
1776	Process not Found
1220	Process not Found
1220	Process not Found
1044	Process not Found
1044	Process not Found
3852	Process not Found
3852	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	NursultanStart.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeIncreaseQuotaPrivilege	1412	wmic.exe
Token: SeSecurityPrivilege	1412	wmic.exe
Token: SeTakeOwnershipPrivilege	1412	wmic.exe
Token: SeLoadDriverPrivilege	1412	wmic.exe
Token: SeSystemProfilePrivilege	1412	wmic.exe
Token: SeSystemtimePrivilege	1412	wmic.exe
Token: SeProfSingleProcessPrivilege	1412	wmic.exe
Token: SeIncBasePriorityPrivilege	1412	wmic.exe
Token: SeCreatePagefilePrivilege	1412	wmic.exe
Token: SeBackupPrivilege	1412	wmic.exe
Token: SeRestorePrivilege	1412	wmic.exe
Token: SeShutdownPrivilege	1412	wmic.exe
Token: SeDebugPrivilege	1412	wmic.exe
Token: SeSystemEnvironmentPrivilege	1412	wmic.exe
Token: SeRemoteShutdownPrivilege	1412	wmic.exe
Token: SeUndockPrivilege	1412	wmic.exe
Token: SeManageVolumePrivilege	1412	wmic.exe
Token: 33	1412	wmic.exe
Token: 34	1412	wmic.exe
Token: 35	1412	wmic.exe
Token: 36	1412	wmic.exe
Token: SeIncreaseQuotaPrivilege	1412	wmic.exe
Token: SeSecurityPrivilege	1412	wmic.exe
Token: SeTakeOwnershipPrivilege	1412	wmic.exe
Token: SeLoadDriverPrivilege	1412	wmic.exe
Token: SeSystemProfilePrivilege	1412	wmic.exe
Token: SeSystemtimePrivilege	1412	wmic.exe
Token: SeProfSingleProcessPrivilege	1412	wmic.exe
Token: SeIncBasePriorityPrivilege	1412	wmic.exe
Token: SeCreatePagefilePrivilege	1412	wmic.exe
Token: SeBackupPrivilege	1412	wmic.exe
Token: SeRestorePrivilege	1412	wmic.exe
Token: SeShutdownPrivilege	1412	wmic.exe
Token: SeDebugPrivilege	1412	wmic.exe
Token: SeSystemEnvironmentPrivilege	1412	wmic.exe
Token: SeRemoteShutdownPrivilege	1412	wmic.exe
Token: SeUndockPrivilege	1412	wmic.exe
Token: SeManageVolumePrivilege	1412	wmic.exe
Token: 33	1412	wmic.exe
Token: 34	1412	wmic.exe
Token: 35	1412	wmic.exe
Token: 36	1412	wmic.exe
Token: SeIncreaseQuotaPrivilege	848	wmic.exe
Token: SeSecurityPrivilege	848	wmic.exe
Token: SeTakeOwnershipPrivilege	848	wmic.exe
Token: SeLoadDriverPrivilege	848	wmic.exe
Token: SeSystemProfilePrivilege	848	wmic.exe
Token: SeSystemtimePrivilege	848	wmic.exe
Token: SeProfSingleProcessPrivilege	848	wmic.exe
Token: SeIncBasePriorityPrivilege	848	wmic.exe
Token: SeCreatePagefilePrivilege	848	wmic.exe
Token: SeBackupPrivilege	848	wmic.exe
Token: SeRestorePrivilege	848	wmic.exe
Token: SeShutdownPrivilege	848	wmic.exe
Token: SeDebugPrivilege	848	wmic.exe
Token: SeSystemEnvironmentPrivilege	848	wmic.exe
Token: SeRemoteShutdownPrivilege	848	wmic.exe
Token: SeUndockPrivilege	848	wmic.exe
Token: SeManageVolumePrivilege	848	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 228	4668	start.exe	89
PID 4668 wrote to memory of 228	4668	start.exe	89
PID 4668 wrote to memory of 4784	4668	start.exe	90
PID 4668 wrote to memory of 4784	4668	start.exe	90
PID 4668 wrote to memory of 4784	4668	start.exe	90
PID 4784 wrote to memory of 4052	4784	start.exe	91
PID 4784 wrote to memory of 4052	4784	start.exe	91
PID 4784 wrote to memory of 3776	4784	start.exe	92
PID 4784 wrote to memory of 3776	4784	start.exe	92
PID 4784 wrote to memory of 3776	4784	start.exe	92
PID 3776 wrote to memory of 4412	3776	start.exe	93
PID 3776 wrote to memory of 4412	3776	start.exe	93
PID 3776 wrote to memory of 4600	3776	start.exe	94
PID 3776 wrote to memory of 4600	3776	start.exe	94
PID 3776 wrote to memory of 4600	3776	start.exe	94
PID 4600 wrote to memory of 5112	4600	start.exe	97
PID 4600 wrote to memory of 5112	4600	start.exe	97
PID 4600 wrote to memory of 5068	4600	start.exe	98
PID 4600 wrote to memory of 5068	4600	start.exe	98
PID 4600 wrote to memory of 5068	4600	start.exe	98
PID 5068 wrote to memory of 4016	5068	start.exe	150
PID 5068 wrote to memory of 4016	5068	start.exe	150
PID 5068 wrote to memory of 4168	5068	start.exe	292
PID 5068 wrote to memory of 4168	5068	start.exe	292
PID 5068 wrote to memory of 4168	5068	start.exe	292
PID 228 wrote to memory of 396	228	NursultanStart.exe	102
PID 228 wrote to memory of 396	228	NursultanStart.exe	102
PID 4168 wrote to memory of 752	4168	start.exe	104
PID 4168 wrote to memory of 752	4168	start.exe	104
PID 4168 wrote to memory of 1632	4168	start.exe	126
PID 4168 wrote to memory of 1632	4168	start.exe	126
PID 4168 wrote to memory of 1632	4168	start.exe	126
PID 1632 wrote to memory of 724	1632	start.exe	316
PID 1632 wrote to memory of 724	1632	start.exe	316
PID 1632 wrote to memory of 3524	1632	start.exe	130
PID 1632 wrote to memory of 3524	1632	start.exe	130
PID 1632 wrote to memory of 3524	1632	start.exe	130
PID 3524 wrote to memory of 2908	3524	start.exe	229
PID 3524 wrote to memory of 2908	3524	start.exe	229
PID 3524 wrote to memory of 4896	3524	start.exe	178
PID 3524 wrote to memory of 4896	3524	start.exe	178
PID 3524 wrote to memory of 4896	3524	start.exe	178
PID 4896 wrote to memory of 3536	4896	start.exe	110
PID 4896 wrote to memory of 3536	4896	start.exe	110
PID 4896 wrote to memory of 4292	4896	start.exe	111
PID 4896 wrote to memory of 4292	4896	start.exe	111
PID 4896 wrote to memory of 4292	4896	start.exe	111
PID 228 wrote to memory of 2228	228	NursultanStart.exe	112
PID 228 wrote to memory of 2228	228	NursultanStart.exe	112
PID 4292 wrote to memory of 3984	4292	start.exe	180
PID 4292 wrote to memory of 3984	4292	start.exe	180
PID 4292 wrote to memory of 5076	4292	start.exe	115
PID 4292 wrote to memory of 5076	4292	start.exe	115
PID 4292 wrote to memory of 5076	4292	start.exe	115
PID 5076 wrote to memory of 548	5076	start.exe	116
PID 5076 wrote to memory of 548	5076	start.exe	116
PID 5076 wrote to memory of 4060	5076	start.exe	188
PID 5076 wrote to memory of 4060	5076	start.exe	188
PID 5076 wrote to memory of 4060	5076	start.exe	188
PID 4060 wrote to memory of 4940	4060	start.exe	118
PID 4060 wrote to memory of 4940	4060	start.exe	118
PID 4060 wrote to memory of 1332	4060	start.exe	119
PID 4060 wrote to memory of 1332	4060	start.exe	119
PID 4060 wrote to memory of 1332	4060	start.exe	119

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3524
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4016
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:760
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4896
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
    3⤵
    - Executes dropped EXE
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
      "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
      4⤵
      Executes dropped EXE
      PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        5⤵
        Executes dropped EXE
        
        PID:5112
    - - C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        6⤵
        Executes dropped EXE
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        7⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        8⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        9⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        10⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        11⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        12⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        13⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        13⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        14⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        14⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        15⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        16⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        16⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        17⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        17⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        18⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        18⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        19⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        19⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        20⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        20⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        21⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        21⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        22⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        22⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        23⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        23⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        24⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        24⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        25⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        25⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        26⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        26⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        27⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        27⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        28⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        28⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        29⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        29⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        30⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        30⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        31⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        31⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        32⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        32⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        33⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        33⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        34⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        34⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        35⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        35⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        36⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        36⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        37⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        37⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        38⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        38⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        39⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        39⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        40⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        40⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        41⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        41⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        42⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        42⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        43⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        43⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        44⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        44⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        45⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        45⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        46⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        46⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        47⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        47⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        48⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        48⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        49⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        49⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        50⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        50⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        51⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        51⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        52⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        52⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        53⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        53⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        54⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        54⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        55⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        55⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        56⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        56⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        57⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        57⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        58⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        58⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        59⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        59⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        60⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        60⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        61⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        61⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        62⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        62⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        63⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        63⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        64⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        64⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        65⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        65⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        66⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        66⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        67⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        67⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        68⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        68⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        69⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        69⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        70⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        70⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        71⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        71⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        72⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        72⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        73⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        73⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        74⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        74⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        75⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        75⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        76⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        76⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        77⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        77⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        78⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        78⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        79⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        79⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        80⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        80⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        81⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        81⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        82⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        82⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        83⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        83⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        84⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        84⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        85⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        85⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        86⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        86⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        87⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        87⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        88⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        88⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        89⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        89⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        90⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        90⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        91⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        91⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        92⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        92⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        93⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        93⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        94⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        94⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        95⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        95⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        96⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        96⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        97⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        97⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        98⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        98⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        99⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        99⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        100⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        100⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        101⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        101⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        102⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        102⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        103⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        103⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        104⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        104⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        105⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        105⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        106⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        106⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        107⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        107⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        108⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        108⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        109⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        109⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        110⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        110⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        111⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        111⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        112⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        112⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        113⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        113⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        114⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        114⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        115⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        115⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        116⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        116⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        117⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        117⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        118⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        118⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        119⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        119⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        120⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        120⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        121⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        121⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        122⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        122⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        123⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        123⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        124⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        124⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        125⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        125⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        126⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        126⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        127⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        127⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        128⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        128⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        129⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        129⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        130⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        130⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        131⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        131⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        132⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        132⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        133⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        133⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        134⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        134⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        135⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        135⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        136⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        136⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        137⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        137⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        138⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        138⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        139⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        139⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        140⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        140⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        141⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        141⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        142⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        142⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        143⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        143⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        144⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        144⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        145⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        145⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        146⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        146⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        147⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        147⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        148⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        148⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        149⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        149⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        150⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        150⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        151⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        151⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        152⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        152⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        153⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        153⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        154⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        154⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        155⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        155⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        156⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        156⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        157⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        157⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        158⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        158⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        159⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        159⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        160⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        160⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        161⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        161⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        162⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        162⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        163⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        163⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        164⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        164⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        165⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        165⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        166⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        166⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        167⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        167⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        168⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        168⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        169⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        169⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        170⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        170⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        171⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        171⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        172⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        172⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        173⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        173⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        174⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        174⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        175⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        175⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        176⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        176⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        177⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        177⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        178⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        178⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        179⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        179⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        180⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        180⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        181⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        181⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        182⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        182⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        183⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        183⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        184⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        184⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        185⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        185⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        186⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        186⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        187⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        187⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        188⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        188⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        189⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        189⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        190⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        190⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        191⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        191⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        192⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        192⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        193⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        193⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        194⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        194⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        195⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        195⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        196⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        196⤵
        Checks computer location settings
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        197⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        197⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        198⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        198⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        199⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        199⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        200⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        200⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        201⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        201⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        202⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        202⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        203⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        203⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        204⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        204⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        205⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        205⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        206⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        206⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        207⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        207⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        208⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        208⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        209⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        209⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        210⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        210⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        211⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        211⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        212⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        212⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        213⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        213⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        214⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        214⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        215⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        215⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        216⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        216⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        217⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        217⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        218⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        218⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        219⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        219⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        220⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        220⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        221⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        221⤵
        Checks computer location settings
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        222⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        222⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        223⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        223⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        224⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        224⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        225⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        225⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        226⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        226⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        227⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        227⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        228⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        228⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        229⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        229⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        230⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        230⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        231⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        231⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        232⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        232⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        233⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        233⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        234⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        234⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        235⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        235⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        236⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        236⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        237⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        237⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        238⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        238⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        239⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        239⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        240⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        240⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        241⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        241⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        242⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        242⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        243⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        243⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        244⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        244⤵
        Checks computer location settings
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        245⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        245⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        246⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        246⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        247⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        247⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        248⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        248⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        249⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        249⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        250⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        250⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        251⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        251⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        252⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        252⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        253⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        253⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        254⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        254⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        255⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        255⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        256⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        256⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        257⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        257⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        258⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        258⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        259⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        259⤵
        Checks computer location settings
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        260⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        260⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        261⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        261⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        262⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        262⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        263⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        263⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        264⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        264⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        265⤵
        Drops file in Drivers directory
        
        PID:3268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
        266⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        266⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        266⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        266⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:3380
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        266⤵
        
        PID:4112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        266⤵
        
        PID:3536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        266⤵
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        266⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        266⤵
        Detects videocard installed
        
        PID:3488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        265⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        266⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        266⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        267⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        267⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        268⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        268⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        269⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        269⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        270⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        270⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        271⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        271⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        272⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        272⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        273⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        273⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        274⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        274⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        275⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        275⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        276⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        276⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        277⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        277⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        278⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        278⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        279⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        279⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        280⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        280⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        281⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        281⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        282⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        282⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        283⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        283⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        284⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        284⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        285⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        285⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        286⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        286⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        287⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        287⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        288⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        288⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        289⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        289⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        290⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        290⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        291⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        291⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        292⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        292⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        293⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        293⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        294⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        294⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        295⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        295⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        296⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        296⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        297⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        297⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        298⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        298⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        299⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        299⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        300⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        300⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        301⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        301⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        302⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        302⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        303⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        303⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        304⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        304⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        305⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        305⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        306⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        306⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        307⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        307⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        308⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        308⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        309⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        309⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        310⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        310⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        311⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        311⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        312⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        312⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        313⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        313⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        314⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        314⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        315⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        315⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        316⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        316⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        317⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        317⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        318⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        318⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        319⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        319⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        320⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        320⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        321⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        321⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        322⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        322⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        323⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        323⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        324⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        324⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        325⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        325⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        326⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        326⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        327⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        327⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        328⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        328⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        329⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        329⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        330⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        330⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        331⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        331⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        332⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        332⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        333⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        333⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        334⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        334⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        335⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        335⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        336⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        336⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        337⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        337⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        338⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        338⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        339⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        339⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        340⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        340⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        341⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        341⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        342⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        342⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        343⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        343⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        344⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        344⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        345⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        345⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        346⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        346⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        347⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        347⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        348⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        348⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        349⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        349⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        350⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        350⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        351⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        351⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        352⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        352⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        353⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        353⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        354⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        354⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        355⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        355⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        356⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        356⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        357⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        357⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        358⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        358⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        359⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        359⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        360⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        360⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        361⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        361⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        362⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        362⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        363⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        363⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        364⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        364⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        365⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        365⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        366⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        366⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        367⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        367⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        368⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        368⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        369⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        369⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        370⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        370⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        371⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        371⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        372⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        372⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        373⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        373⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        374⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        374⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        375⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        375⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        376⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        376⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        377⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        377⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        378⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        378⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        379⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        379⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        380⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        380⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        381⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        381⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        382⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        382⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        383⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        383⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        384⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        384⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        385⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        385⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        386⤵
        Drops file in Drivers directory
        
        PID:400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
        387⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        388⤵
        
        PID:1048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        387⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        387⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        388⤵
        
        PID:3112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        387⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        387⤵
        
        PID:4624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        387⤵
        
        PID:548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        387⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        388⤵
        
        PID:1336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        387⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        388⤵
        
        PID:2964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        387⤵
        Detects videocard installed
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        386⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        387⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        387⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        388⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        388⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        389⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        389⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        390⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        390⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        391⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        391⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        392⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        392⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        393⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        393⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        394⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        394⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        395⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        395⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        396⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        396⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        397⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        397⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        398⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        398⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        399⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        399⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        400⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        400⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        401⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        401⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        402⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        402⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        403⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        403⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        404⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        404⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        405⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        405⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        406⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        406⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        407⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        407⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        408⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        408⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        409⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        409⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        410⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        410⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        411⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        411⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        412⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        412⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        413⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        413⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        414⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        414⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        415⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        415⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        416⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        416⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        417⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        417⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        418⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        418⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        419⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        419⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        420⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        420⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        421⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        421⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        422⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        422⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        423⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        423⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        424⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        424⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        425⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        425⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        426⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        426⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        427⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        427⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        428⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        428⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        429⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        429⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        430⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        430⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        431⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        431⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        432⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        432⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        433⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        433⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        434⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        434⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        435⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        435⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        436⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        436⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        437⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        437⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        438⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        438⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        439⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        439⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        440⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        440⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        441⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        441⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        442⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        442⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        443⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        443⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        444⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        444⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        445⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        445⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        446⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        446⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        447⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        447⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        448⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        448⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        449⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        449⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        450⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        450⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        451⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        451⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        452⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        452⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        453⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        453⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        454⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        454⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        455⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        455⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        456⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        456⤵
        Checks computer location settings
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        457⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        457⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        458⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        458⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        459⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        459⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        460⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        460⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        461⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        461⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        462⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        462⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        463⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        463⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        464⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        464⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        465⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        465⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        466⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        466⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        467⤵
        Drops file in Drivers directory
        
        PID:3268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe'
        468⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        468⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        468⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        468⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        467⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        468⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        468⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        469⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        469⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        470⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        470⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        471⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        471⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        472⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        472⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        473⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        473⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        474⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        474⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        475⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        475⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        476⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        476⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        477⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        477⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        478⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        478⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        479⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        479⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        480⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        480⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        481⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        481⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        482⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        482⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        483⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        483⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        484⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        484⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        485⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        485⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        486⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        486⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        487⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        487⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        488⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        488⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        489⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        489⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        490⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\start.exe
        
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        490⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe"
        491⤵
        
        PID:3200

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1216

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2368

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NursultanStart.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e2a7fc20b443bab1d5f443e5cced0003

SHA1
fd875f15cf9bdea6d2e507365529fe151e26e399

SHA256
b977c66cd381a362076f0634005a18dbe3644cacb8d17f710076f39fb9e8d72f

SHA512
0442337dde316986c1b637ec1ee54159521a6b5b45cb1d6dcb07e16abd1babdd688d13132300f85e716c80c916f0e3ec04cf538a08a21a1efbf6737d6944ebed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1a58f982c18490e622e00d4eb75ace5a

SHA1
60c30527b74659ecf09089a5a7c02a1df9a71b65

SHA256
4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

SHA512
ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fff254cb5c3afd42123a4696fea48838

SHA1
2522f8d37166c8202ed692a4f7e44464cb35fe11

SHA256
e27dc87caf719841f1cddfcbd53d9a49278f9da06b13b607799a07141a7adfec

SHA512
4cd8f4dd861947242ba2ff4eb4ac3b07f7afbf5c7b73ead1f3e3052c9976b6f0d5515f661f4dc4b487ecc99ff99a048767e38f925531ec2718fbf300c5d5f7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92382908106bf04aac6575ae0e55073f

SHA1
b164dd606b60ada42fe843963f95e14e92d5d86a

SHA256
1332dc373efa610424b48ae9955247275f4f94cfeecec93a5121784ed8d6b3db

SHA512
d6ee3e3776f683b2a4eaf4fd92e2cd2b9412d85fb57556130d8cabf52e180fb17b5dcdfec9ccd0b3b80bed2816c0bd2d25de35580b859e7799b7cb61071edb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKBus6UkaY2mfKX

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe

Filesize
228KB

MD5
9663eac13664b0569197105222783be4

SHA1
545c88c8397d3b6582a1596e1893c2889334707e

SHA256
77c4aa0c830b52ad38664d3510f191df0da166a9a8c3bbf7a2f2000eb8c2c04b

SHA512
e8c28068eb32badd7f5733ea54e457af665ed9e196b6ecf524fc31f8445d97a8d9ed37e993e9886b9d39cad7f40404176c1a974a0416773647a985ff6d47a2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe

Filesize
229KB

MD5
a635e377a579296af70e52f439465078

SHA1
68aff1bf9a48c1d8f326f9ee1d95a795c1b35c35

SHA256
11ca4440ffccc6e94fa1536d27eeafdceea8782202a56f3989b19f845d7864ac

SHA512
cef30f2e3385399c9659acb6938a68a46401b977cb84c1137cc18dd37009c61a91eeb473a65552bb5585af69ecfadd878db0a0f6bd24584153d9796a3e46db39

Download Submit
C:\Users\Admin\AppData\Local\Temp\NursultanStart.exe

Filesize
128KB

MD5
c8a881ede26ce932901910c6db4529a4

SHA1
25b57b78e5ae6e05e76080c1a9e546ccedcdd00c

SHA256
2cfaf96a996e53f1f5db39bfdc904084ec3b39a85d75f4069fc6ecbe003335cd

SHA512
d1796199d8c0fb464867428045d9b22a53dddca1cc2eacbcf0ae24d16d7dfc20481d7f1f07283f3bb439fe06acdf642aab2b1c99f99b5f005a8ac0afcedf470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQqWsBNIQyszzSE

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQqWsBNIQyszzSE

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOjTZTLA1hbDBMk\Display\Display.png

Filesize
415KB

MD5
420b81339cdc13b738e2d2a130dd7571

SHA1
0ee9f1e17c5e4fff575c16787761b2414dfbee8c

SHA256
c7d3647b30334a9c4993ea638500d14b8e174ef9e3ab4c8b3e4073fa2e8103ff

SHA512
b5cc9a5ff60821f4d9b68a0a95625d0714fbbb375193d3e458246f37bbc88d1f4b77df29a33245686bc8cc7c60fccc15e6ed5da1a6737b101044c9a91f3e7d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lasjft1z.mzb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1MJ64elZRpHfej

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
192KB

MD5
066f7f594bf6f254748bc19562dd1bc3

SHA1
313883f4a7fbfc3c60b153492aeefb927c5d5694

SHA256
9398c6385a5246fe4b86b0f247ddb8a93a9c326389dabef1b96bd65af09b360e

SHA512
04f0c82938dee7a790876ab39282c36eda0c6de11a337d93f728c07be6ff5997605c6a9bba886b94091c313795ee19bf96d65ca9ac1e1d62eeab7acd33b6afca

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
57KB

MD5
13e4019909898d6678c6630d49b1c498

SHA1
5766ca0ca17778619f0900006bd87da08cb8c66e

SHA256
429760f0f85e1a0838c832a2a0d670955ac906a6a446e8b7c71e05749ec924a7

SHA512
20c88ed8e034762d550ce64d36b85df4a2453d9b24dc3154a9b7a36bf6390cc61e04b3cd39fec4d365662b1f08182b1629a8299655c2f5c58db9ddad98daee43

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
12KB

MD5
5f7646ef775429293c16daa6d3be29c4

SHA1
bb571bf52e1de4efb52cd3826a6aa31c03838e31

SHA256
f2c0b9aa6933c09f804902c08ff70a77b7439e3d2480d49c9f15cbcc8abbf784

SHA512
aaaf92cb1a745d892cb14e573f545c8ae8510e0fa9b78c024260230d1fade6efd548dab9e57063444f30e5ede7d6b8b126031e70470bd057245fc802ceaba03c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/228-86-0x00000185A89C0000-0x00000185A8A10000-memory.dmp

Filesize
320KB

Download
memory/228-161-0x00000185C2D90000-0x00000185C2DA2000-memory.dmp

Filesize
72KB

Download
memory/228-159-0x00000185A89A0000-0x00000185A89AA000-memory.dmp

Filesize
40KB

Download
memory/228-13-0x00000185A8480000-0x00000185A84C0000-memory.dmp

Filesize
256KB

Download
memory/228-85-0x00000185C2D10000-0x00000185C2D86000-memory.dmp

Filesize
472KB

Download
memory/228-14-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/228-91-0x00000185A8960000-0x00000185A897E000-memory.dmp

Filesize
120KB

Download
memory/228-157-0x00000185C29C0000-0x00000185C2AC2000-memory.dmp

Filesize
1.0MB

Download
memory/228-55-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/228-15-0x00000185A8890000-0x00000185A88A0000-memory.dmp

Filesize
64KB

Download
memory/228-65-0x00000185A8890000-0x00000185A88A0000-memory.dmp

Filesize
64KB

Download
memory/228-588-0x00000185C29C0000-0x00000185C2AC2000-memory.dmp

Filesize
1.0MB

Download
memory/396-39-0x0000020C38790000-0x0000020C387B2000-memory.dmp

Filesize
136KB

Download
memory/396-44-0x0000020C385E0000-0x0000020C385F0000-memory.dmp

Filesize
64KB

Download
memory/396-53-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/396-40-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/548-81-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/724-47-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/724-112-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/752-108-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/752-32-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1040-162-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1632-180-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1632-133-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-174-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-184-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-59-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-63-0x000001EEA8CB0000-0x000001EEA8CC0000-memory.dmp

Filesize
64KB

Download
memory/2228-79-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-80-0x000001EEA8CB0000-0x000001EEA8CC0000-memory.dmp

Filesize
64KB

Download
memory/2228-61-0x000001EEA8CB0000-0x000001EEA8CC0000-memory.dmp

Filesize
64KB

Download
memory/2908-50-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2908-124-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-192-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-154-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-181-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3084-167-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3120-111-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-173-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-126-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-187-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-146-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-147-0x000001BED80C0000-0x000001BED80D0000-memory.dmp

Filesize
64KB

Download
memory/3504-153-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-148-0x000001BED80C0000-0x000001BED80D0000-memory.dmp

Filesize
64KB

Download
memory/3536-57-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-64-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4016-29-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4016-92-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-78-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-19-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-134-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4220-170-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-23-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-83-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-177-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4692-194-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-89-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-190-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-101-0x0000026C90AF0000-0x0000026C90B00000-memory.dmp

Filesize
64KB

Download
memory/5036-93-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-128-0x0000026C90AF0000-0x0000026C90B00000-memory.dmp

Filesize
64KB

Download
memory/5036-129-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-94-0x0000026C90AF0000-0x0000026C90B00000-memory.dmp

Filesize
64KB

Download
memory/5112-26-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-88-0x00007FFAAE820000-0x00007FFAAF2E1000-memory.dmp

Filesize
10.8MB

Download