colibri | d588c89ff1cee433b3b5d503e0adae787d8fbf8e516638cde0033de331aea1bb

Analysis

max time kernel
104s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e721cd0b41361048ffeaf94be64a090N.exe
Size

4.9MB
MD5

2e721cd0b41361048ffeaf94be64a090
SHA1

0d5c61de07649f07f150785959ca3853f5d0529a
SHA256

d588c89ff1cee433b3b5d503e0adae787d8fbf8e516638cde0033de331aea1bb
SHA512

b9c264122c8e0eeb6007373d545a04900e0b9fc7866470b1fac7482f43972aab44352296e96076a898871e0962758bda3aba3e5aabee0d588b12a211d349f5d7
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4932	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4932	schtasks.exe	86

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/800-3-0x000000001BBC0000-0x000000001BCEE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2568	powershell.exe
4436	powershell.exe
1768	powershell.exe
1788	powershell.exe
2604	powershell.exe
1224	powershell.exe
912	powershell.exe
1536	powershell.exe
3208	powershell.exe
3612	powershell.exe
4524	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	2e721cd0b41361048ffeaf94be64a090N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
692	tmpD1BB.tmp.exe
4604	tmpD1BB.tmp.exe
3648	SearchApp.exe
3896	tmpFC80.tmp.exe
2632	tmpFC80.tmp.exe
720	tmpFC80.tmp.exe
2296	tmpFC80.tmp.exe
1916	SearchApp.exe
1508	SearchApp.exe
3852	tmp3851.tmp.exe
4260	tmp3851.tmp.exe
2900	SearchApp.exe
4504	tmp68F6.tmp.exe
3116	tmp68F6.tmp.exe
4816	tmp68F6.tmp.exe
3400	SearchApp.exe
636	tmp87D8.tmp.exe
1152	tmp87D8.tmp.exe
4776	tmp87D8.tmp.exe
1532	tmp87D8.tmp.exe
4936	tmp87D8.tmp.exe
4316	tmp87D8.tmp.exe
1552	tmp87D8.tmp.exe
2644	tmp87D8.tmp.exe
2568	tmp87D8.tmp.exe
4576	tmp87D8.tmp.exe
3128	tmp87D8.tmp.exe
3200	tmp87D8.tmp.exe
728	tmp87D8.tmp.exe
4104	tmp87D8.tmp.exe
4064	tmp87D8.tmp.exe
3584	tmp87D8.tmp.exe
1084	tmp87D8.tmp.exe
1196	tmp87D8.tmp.exe
4868	tmp87D8.tmp.exe
752	tmp87D8.tmp.exe
4968	tmp87D8.tmp.exe
5076	tmp87D8.tmp.exe
228	tmp87D8.tmp.exe
2960	tmp87D8.tmp.exe
3168	tmp87D8.tmp.exe
2156	tmp87D8.tmp.exe
1732	tmp87D8.tmp.exe
2696	tmp87D8.tmp.exe
3304	tmp87D8.tmp.exe
4940	tmp87D8.tmp.exe
2632	tmp87D8.tmp.exe
4888	tmp87D8.tmp.exe
3240	tmp87D8.tmp.exe
924	tmp87D8.tmp.exe
3044	tmp87D8.tmp.exe
4912	tmp87D8.tmp.exe
4872	tmp87D8.tmp.exe
2192	tmp87D8.tmp.exe
4844	tmp87D8.tmp.exe
940	tmp87D8.tmp.exe
1620	tmp87D8.tmp.exe
4200	tmp87D8.tmp.exe
4116	tmp87D8.tmp.exe
3512	tmp87D8.tmp.exe
2712	tmp87D8.tmp.exe
4052	tmp87D8.tmp.exe
1060	tmp87D8.tmp.exe
3416	tmp87D8.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 4604	692	tmpD1BB.tmp.exe	131
PID 720 set thread context of 2296	720	tmpFC80.tmp.exe	161
PID 3852 set thread context of 4260	3852	tmp3851.tmp.exe	170
PID 3116 set thread context of 4816	3116	tmp68F6.tmp.exe	179
PID 1572 set thread context of 4260	1572	tmpA4A7.tmp.exe	573
PID 1524 set thread context of 1732	1524	Process not Found	1170
PID 2612 set thread context of 320	2612	Process not Found	1835
PID 4044 set thread context of 3520	4044	Process not Found	2494
PID 4796 set thread context of 4912	4796	Process not Found	3301

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\9e8d7a4ca61bd9	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\886983d96e3d3e	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\csrss.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCXDA2C.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXE4EF.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files\Windows Defender\en-US\SearchApp.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files\Windows Defender\en-US\38384e6a620884	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\Google\ea9f0e6c9e2dcd	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXDC40.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\csrss.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXD596.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RuntimeBroker.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\6cb0b6c459d5d3	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\Common Files\Services\6ccacd8608530f	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\Microsoft\RuntimeBroker.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\Google\taskhostw.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCXCF68.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Google\taskhostw.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\e6c9b481da804f	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files (x86)\Common Files\Services\Idle.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\SearchApp.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\Idle.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE2EA.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Google\RCXE994.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCXD7AA.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXE0D6.tmp	2e721cd0b41361048ffeaf94be64a090N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\eddb19405b7ce1	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Windows\DigitalLocker\RCXE770.tmp	2e721cd0b41361048ffeaf94be64a090N.exe
File opened for modification	C:\Windows\DigitalLocker\backgroundTaskHost.exe	2e721cd0b41361048ffeaf94be64a090N.exe
File created	C:\Windows\DigitalLocker\backgroundTaskHost.exe	2e721cd0b41361048ffeaf94be64a090N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87D8.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2e721cd0b41361048ffeaf94be64a090N.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2008	schtasks.exe
1836	schtasks.exe
4804	schtasks.exe
3304	schtasks.exe
1724	schtasks.exe
4108	schtasks.exe
4988	schtasks.exe
3640	schtasks.exe
2764	schtasks.exe
4376	schtasks.exe
1584	schtasks.exe
2320	schtasks.exe
3876	schtasks.exe
1140	schtasks.exe
4112	schtasks.exe
720	schtasks.exe
3188	schtasks.exe
1524	schtasks.exe
4468	schtasks.exe
2644	schtasks.exe
2172	schtasks.exe
1516	schtasks.exe
2432	schtasks.exe
4476	schtasks.exe
1720	schtasks.exe
4120	schtasks.exe
2940	schtasks.exe
1304	schtasks.exe
1036	schtasks.exe
1388	schtasks.exe
908	schtasks.exe
4868	schtasks.exe
3744	schtasks.exe
3812	schtasks.exe
4628	schtasks.exe
2276	schtasks.exe
220	schtasks.exe
1808	schtasks.exe
1796	schtasks.exe
2756	schtasks.exe
4776	schtasks.exe
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
800	2e721cd0b41361048ffeaf94be64a090N.exe
800	2e721cd0b41361048ffeaf94be64a090N.exe
800	2e721cd0b41361048ffeaf94be64a090N.exe
800	2e721cd0b41361048ffeaf94be64a090N.exe
800	2e721cd0b41361048ffeaf94be64a090N.exe
800	2e721cd0b41361048ffeaf94be64a090N.exe
800	2e721cd0b41361048ffeaf94be64a090N.exe
1788	powershell.exe
1788	powershell.exe
4524	powershell.exe
4524	powershell.exe
2568	powershell.exe
2568	powershell.exe
2604	powershell.exe
2604	powershell.exe
3612	powershell.exe
3612	powershell.exe
1768	powershell.exe
1768	powershell.exe
912	powershell.exe
912	powershell.exe
3208	powershell.exe
3208	powershell.exe
2604	powershell.exe
1536	powershell.exe
1536	powershell.exe
4436	powershell.exe
4436	powershell.exe
1224	powershell.exe
1224	powershell.exe
4436	powershell.exe
4524	powershell.exe
3612	powershell.exe
1788	powershell.exe
2568	powershell.exe
1768	powershell.exe
912	powershell.exe
1536	powershell.exe
3208	powershell.exe
1224	powershell.exe
3648	SearchApp.exe
3648	SearchApp.exe
1916	SearchApp.exe
1508	SearchApp.exe
2900	SearchApp.exe
3400	SearchApp.exe
4768	SearchApp.exe
3296	SearchApp.exe
3200	Process not Found
4724	Process not Found
376	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	2e721cd0b41361048ffeaf94be64a090N.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	3648	SearchApp.exe
Token: SeDebugPrivilege	1916	SearchApp.exe
Token: SeDebugPrivilege	1508	SearchApp.exe
Token: SeDebugPrivilege	2900	SearchApp.exe
Token: SeDebugPrivilege	3400	SearchApp.exe
Token: SeDebugPrivilege	4768	SearchApp.exe
Token: SeDebugPrivilege	3296	SearchApp.exe
Token: SeDebugPrivilege	3200	Process not Found
Token: SeDebugPrivilege	4724	Process not Found
Token: SeDebugPrivilege	376	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 692	800	2e721cd0b41361048ffeaf94be64a090N.exe	129
PID 800 wrote to memory of 692	800	2e721cd0b41361048ffeaf94be64a090N.exe	129
PID 800 wrote to memory of 692	800	2e721cd0b41361048ffeaf94be64a090N.exe	129
PID 692 wrote to memory of 4604	692	tmpD1BB.tmp.exe	131
PID 692 wrote to memory of 4604	692	tmpD1BB.tmp.exe	131
PID 692 wrote to memory of 4604	692	tmpD1BB.tmp.exe	131
PID 692 wrote to memory of 4604	692	tmpD1BB.tmp.exe	131
PID 692 wrote to memory of 4604	692	tmpD1BB.tmp.exe	131
PID 692 wrote to memory of 4604	692	tmpD1BB.tmp.exe	131
PID 692 wrote to memory of 4604	692	tmpD1BB.tmp.exe	131
PID 800 wrote to memory of 1224	800	2e721cd0b41361048ffeaf94be64a090N.exe	132
PID 800 wrote to memory of 1224	800	2e721cd0b41361048ffeaf94be64a090N.exe	132
PID 800 wrote to memory of 4524	800	2e721cd0b41361048ffeaf94be64a090N.exe	133
PID 800 wrote to memory of 4524	800	2e721cd0b41361048ffeaf94be64a090N.exe	133
PID 800 wrote to memory of 2568	800	2e721cd0b41361048ffeaf94be64a090N.exe	134
PID 800 wrote to memory of 2568	800	2e721cd0b41361048ffeaf94be64a090N.exe	134
PID 800 wrote to memory of 2604	800	2e721cd0b41361048ffeaf94be64a090N.exe	135
PID 800 wrote to memory of 2604	800	2e721cd0b41361048ffeaf94be64a090N.exe	135
PID 800 wrote to memory of 1788	800	2e721cd0b41361048ffeaf94be64a090N.exe	136
PID 800 wrote to memory of 1788	800	2e721cd0b41361048ffeaf94be64a090N.exe	136
PID 800 wrote to memory of 1768	800	2e721cd0b41361048ffeaf94be64a090N.exe	138
PID 800 wrote to memory of 1768	800	2e721cd0b41361048ffeaf94be64a090N.exe	138
PID 800 wrote to memory of 3612	800	2e721cd0b41361048ffeaf94be64a090N.exe	139
PID 800 wrote to memory of 3612	800	2e721cd0b41361048ffeaf94be64a090N.exe	139
PID 800 wrote to memory of 3208	800	2e721cd0b41361048ffeaf94be64a090N.exe	140
PID 800 wrote to memory of 3208	800	2e721cd0b41361048ffeaf94be64a090N.exe	140
PID 800 wrote to memory of 4436	800	2e721cd0b41361048ffeaf94be64a090N.exe	141
PID 800 wrote to memory of 4436	800	2e721cd0b41361048ffeaf94be64a090N.exe	141
PID 800 wrote to memory of 1536	800	2e721cd0b41361048ffeaf94be64a090N.exe	142
PID 800 wrote to memory of 1536	800	2e721cd0b41361048ffeaf94be64a090N.exe	142
PID 800 wrote to memory of 912	800	2e721cd0b41361048ffeaf94be64a090N.exe	144
PID 800 wrote to memory of 912	800	2e721cd0b41361048ffeaf94be64a090N.exe	144
PID 800 wrote to memory of 3648	800	2e721cd0b41361048ffeaf94be64a090N.exe	154
PID 800 wrote to memory of 3648	800	2e721cd0b41361048ffeaf94be64a090N.exe	154
PID 3648 wrote to memory of 2584	3648	SearchApp.exe	155
PID 3648 wrote to memory of 2584	3648	SearchApp.exe	155
PID 3648 wrote to memory of 2144	3648	SearchApp.exe	156
PID 3648 wrote to memory of 2144	3648	SearchApp.exe	156
PID 3648 wrote to memory of 3896	3648	SearchApp.exe	157
PID 3648 wrote to memory of 3896	3648	SearchApp.exe	157
PID 3648 wrote to memory of 3896	3648	SearchApp.exe	157
PID 3896 wrote to memory of 2632	3896	tmpFC80.tmp.exe	159
PID 3896 wrote to memory of 2632	3896	tmpFC80.tmp.exe	159
PID 3896 wrote to memory of 2632	3896	tmpFC80.tmp.exe	159
PID 2632 wrote to memory of 720	2632	tmpFC80.tmp.exe	160
PID 2632 wrote to memory of 720	2632	tmpFC80.tmp.exe	160
PID 2632 wrote to memory of 720	2632	tmpFC80.tmp.exe	160
PID 720 wrote to memory of 2296	720	tmpFC80.tmp.exe	161
PID 720 wrote to memory of 2296	720	tmpFC80.tmp.exe	161
PID 720 wrote to memory of 2296	720	tmpFC80.tmp.exe	161
PID 720 wrote to memory of 2296	720	tmpFC80.tmp.exe	161
PID 720 wrote to memory of 2296	720	tmpFC80.tmp.exe	161
PID 720 wrote to memory of 2296	720	tmpFC80.tmp.exe	161
PID 720 wrote to memory of 2296	720	tmpFC80.tmp.exe	161
PID 2584 wrote to memory of 1916	2584	WScript.exe	162
PID 2584 wrote to memory of 1916	2584	WScript.exe	162
PID 1916 wrote to memory of 4784	1916	SearchApp.exe	163
PID 1916 wrote to memory of 4784	1916	SearchApp.exe	163
PID 1916 wrote to memory of 3644	1916	SearchApp.exe	164
PID 1916 wrote to memory of 3644	1916	SearchApp.exe	164
PID 4784 wrote to memory of 1508	4784	WScript.exe	165
PID 4784 wrote to memory of 1508	4784	WScript.exe	165
PID 1508 wrote to memory of 3224	1508	SearchApp.exe	166
PID 1508 wrote to memory of 3224	1508	SearchApp.exe	166

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e721cd0b41361048ffeaf94be64a090N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e721cd0b41361048ffeaf94be64a090N.exe
"C:\Users\Admin\AppData\Local\Temp\2e721cd0b41361048ffeaf94be64a090N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:800
- C:\Users\Admin\AppData\Local\Temp\tmpD1BB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD1BB.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\tmpD1BB.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD1BB.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Program Files\Windows Defender\en-US\SearchApp.exe
  "C:\Program Files\Windows Defender\en-US\SearchApp.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac17533-be62-40be-8585-1d22983474d2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Program Files\Windows Defender\en-US\SearchApp.exe
      "C:\Program Files\Windows Defender\en-US\SearchApp.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1916
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c29de8fb-c471-44ea-9ac1-c7ad4bfa0040.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Program Files\Windows Defender\en-US\SearchApp.exe
        
        "C:\Program Files\Windows Defender\en-US\SearchApp.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8e3667-64a9-434f-a2dd-5e925f1b250b.vbs"
        7⤵
        
        PID:3224
        
        C:\Program Files\Windows Defender\en-US\SearchApp.exe
        
        "C:\Program Files\Windows Defender\en-US\SearchApp.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b536c9a2-a0bb-42ca-9f25-20d25acb14e9.vbs"
        9⤵
        
        PID:4112
        
        C:\Program Files\Windows Defender\en-US\SearchApp.exe
        
        "C:\Program Files\Windows Defender\en-US\SearchApp.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a1ade61-c829-44f6-9851-b36b804452c3.vbs"
        11⤵
        
        PID:4524
        
        C:\Program Files\Windows Defender\en-US\SearchApp.exe
        
        "C:\Program Files\Windows Defender\en-US\SearchApp.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b325c2fe-0158-400a-b9a2-916ba2f07520.vbs"
        13⤵
        
        PID:5048
        
        C:\Program Files\Windows Defender\en-US\SearchApp.exe
        
        "C:\Program Files\Windows Defender\en-US\SearchApp.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f768b7d-e2cc-417a-950a-ce88c5710b35.vbs"
        15⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91edfb4f-2fc6-46bb-8e30-b42773d398dc.vbs"
        15⤵
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0219f9a4-81b9-427d-9c37-7d99aca2028c.vbs"
        13⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmpA4A7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA4A7.tmp.exe"
        13⤵
        Suspicious use of SetThreadContext
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmpA4A7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA4A7.tmp.exe"
        14⤵
        
        PID:4260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b9896d5-bdce-4849-9e3f-8fb4aec8ed3d.vbs"
        11⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        37⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        39⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        41⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        43⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        45⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        50⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        51⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        52⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        53⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        54⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        55⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        56⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        57⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        58⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        59⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        60⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        61⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        62⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        63⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        64⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        65⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        66⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        67⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        68⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        69⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        70⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        71⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        72⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        73⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        74⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        75⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        76⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        77⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        78⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        79⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        80⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        81⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        82⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        83⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        84⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        85⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        86⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        87⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        88⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        89⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        90⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        91⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        92⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        93⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        94⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        95⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        96⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        97⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        98⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        99⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        100⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        101⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        102⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        103⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        104⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        105⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        106⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        108⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        109⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        110⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        111⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        112⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        113⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        114⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        115⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        116⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        117⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        118⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        119⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        120⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        121⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        122⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        123⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        124⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        125⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        126⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        127⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        128⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        129⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        130⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        131⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        132⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        133⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        134⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        135⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        136⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        137⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        138⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        139⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        140⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        141⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        142⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        143⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        144⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        145⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        146⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        147⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        148⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        149⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        150⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        151⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        152⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        153⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        154⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        155⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        156⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        157⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        158⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        159⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        160⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        161⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        162⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        163⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        164⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        165⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        166⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        167⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        168⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        169⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        170⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        171⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        172⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        173⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        174⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        175⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        176⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        177⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        178⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        179⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        180⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        181⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        182⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        183⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        184⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        185⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        186⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        187⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        188⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        189⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        190⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        191⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        192⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        193⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        194⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        195⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        196⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        197⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        198⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        199⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        200⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        201⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        202⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        203⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        204⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        205⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        206⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        207⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        208⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        209⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        210⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        211⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        212⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        213⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        214⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        215⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        216⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        217⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        218⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        219⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        220⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        221⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        222⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        223⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        224⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        225⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        226⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        227⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        228⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        229⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        230⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        231⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        232⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        233⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        234⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        235⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        236⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        237⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        238⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        239⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        240⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        242⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        243⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        244⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        245⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        246⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        247⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        248⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        249⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        250⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        251⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        252⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        253⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        254⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        255⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        256⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        257⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        258⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        259⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        260⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        261⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        262⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        263⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        264⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        265⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        266⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        267⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        268⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        269⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        270⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        271⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        272⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        273⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        274⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        275⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        276⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        277⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        278⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        279⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        280⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        281⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        282⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        283⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        284⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        285⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        286⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        287⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        288⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        289⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        290⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        291⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        292⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        293⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        294⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        295⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        296⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        297⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        298⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        299⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        300⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        301⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        302⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        303⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        304⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        305⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        306⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        307⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        308⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        309⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        310⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        311⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        312⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        313⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        314⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        315⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        316⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        317⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        318⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        319⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        321⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        322⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        323⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        324⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        325⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        326⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        327⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        328⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        329⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        330⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        332⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        333⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        334⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        335⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        336⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        337⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        338⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        339⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        340⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        341⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        342⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        343⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        344⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        345⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        346⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        347⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        348⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        349⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        350⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        351⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        352⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        354⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        355⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        356⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        357⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        358⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        360⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        361⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        362⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        363⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        364⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        365⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        366⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        367⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        368⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        369⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        370⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        371⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        372⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        373⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        374⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        375⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        376⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        377⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        378⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        379⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        380⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        381⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        382⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        383⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        384⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        385⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        386⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        387⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        388⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        389⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        390⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        391⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        392⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        393⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        394⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        395⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        396⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        397⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        398⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        399⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        400⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        401⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        402⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        403⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        404⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        405⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        406⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        407⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        408⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        409⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        410⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        411⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        412⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        413⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        414⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        415⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        416⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        417⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        418⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        419⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        420⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        421⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        422⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        423⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        424⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        425⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        426⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        427⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        428⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        429⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        430⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        431⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        432⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        433⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        434⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        435⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        436⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        437⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        438⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        439⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        440⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        441⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        442⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        443⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        444⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        445⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        446⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        447⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        448⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        449⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        450⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        451⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        452⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        453⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        454⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        455⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        456⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        457⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        458⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        459⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        460⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        461⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        462⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        463⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        464⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        465⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        466⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        467⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        468⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        469⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        470⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        471⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        472⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        473⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        474⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        475⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        476⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        477⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        478⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        479⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        480⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        481⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        482⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        483⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        484⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        485⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        486⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        487⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        488⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        489⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        490⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        491⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        492⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        493⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        494⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        495⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        496⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        497⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        498⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        499⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        500⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        501⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        502⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        503⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        504⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        505⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        506⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        507⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        508⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        509⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        510⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        511⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        512⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        513⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        514⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        515⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        516⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        517⤵
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        518⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        519⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        520⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        521⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        522⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        523⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        524⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        525⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        526⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        527⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        528⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        529⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        530⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        531⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        532⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        533⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        534⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        535⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        536⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        537⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        538⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        539⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        540⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        541⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        542⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        543⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        544⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        545⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        546⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        547⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        548⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        549⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        550⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        551⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        552⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        553⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        554⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        555⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        556⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        557⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        558⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        559⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        560⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        561⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        562⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        563⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        564⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        565⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        566⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        567⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        568⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        569⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        570⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        571⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        572⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        573⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        574⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        575⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        576⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        577⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        578⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        579⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        580⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        581⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        582⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        583⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        584⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        585⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        586⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        587⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        588⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        589⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        590⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        591⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        592⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        593⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        594⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        595⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        596⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        597⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        598⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        599⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        600⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        601⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        602⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        603⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        604⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        605⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        606⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        607⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        608⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        609⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        610⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        611⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        612⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        613⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        614⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        615⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        616⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        617⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        618⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        619⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        620⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        621⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        622⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        623⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        624⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        625⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        626⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        627⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        628⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        629⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        630⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        631⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        632⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        633⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        634⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        635⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        636⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        637⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        638⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        639⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        640⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        641⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        642⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        643⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        644⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        645⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        646⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        647⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        648⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        649⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        650⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        651⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        652⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        653⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        654⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        655⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        656⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        657⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        658⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        659⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        660⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        661⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        662⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        663⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        664⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        665⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        666⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        667⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        668⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        669⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        670⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        671⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        672⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        673⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        674⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        675⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        676⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        677⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        678⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        679⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        680⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        681⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        682⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        683⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        684⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        685⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        686⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        687⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        688⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        689⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        690⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        691⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        692⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        693⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        694⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        695⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        696⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        697⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        698⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        699⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        700⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        701⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        702⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        703⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        704⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        705⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        706⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        707⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        708⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        709⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        710⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        711⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        712⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        713⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        714⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        715⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        716⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        717⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        718⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        719⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        720⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        721⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        722⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        723⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        724⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        725⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        726⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        727⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        728⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        729⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        730⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        731⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        732⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        733⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        734⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        735⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        736⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        737⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        738⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        739⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        740⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        741⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        742⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        743⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        744⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        745⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        746⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        747⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        748⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        749⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        750⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        751⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        752⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        753⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        754⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        755⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        756⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        757⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        758⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        759⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        760⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        761⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        762⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        763⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        764⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        765⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        766⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        767⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        768⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        769⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        770⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        771⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        772⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        773⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        774⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        775⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        776⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        777⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        778⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        779⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        780⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        781⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        782⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        783⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        784⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        785⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        786⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        787⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        788⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        789⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        790⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        791⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        792⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        793⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        794⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        795⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        796⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        797⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        798⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        799⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        800⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        801⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        802⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        803⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        804⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        805⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        806⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        807⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        808⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        809⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        810⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        811⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        812⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        813⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        814⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        815⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        816⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        817⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        818⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        819⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        820⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        821⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        822⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        823⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        824⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        825⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        826⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        827⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        828⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        829⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        830⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        831⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        832⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        833⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        834⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        835⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        836⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        837⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        838⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        839⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        840⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        841⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        842⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        843⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        844⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        845⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        846⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        847⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        848⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        849⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        850⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        851⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        852⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        853⤵
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        854⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        855⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        856⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        857⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        858⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        859⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        860⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        861⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        862⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        863⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        864⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        865⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        866⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        867⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        868⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        869⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        870⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        871⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        872⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        873⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        874⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        875⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        876⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        877⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        878⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        879⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        880⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        881⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        882⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        883⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        884⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        885⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        886⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        887⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        888⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        889⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        890⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        891⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        892⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        893⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        894⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        895⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        896⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        897⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        898⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        899⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        900⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        901⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        902⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        903⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        904⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        905⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        906⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        907⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        908⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        909⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        910⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        911⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        912⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        913⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        914⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        915⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        916⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        917⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        918⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        919⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        920⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        921⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        922⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        923⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        924⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        925⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        926⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        927⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        928⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        929⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        930⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        931⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        932⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        933⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        934⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        935⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        936⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        937⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        938⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        939⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        940⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        941⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        942⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        943⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        944⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        945⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.exe"
        946⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee8dcd1-2924-4b42-ae2c-7ddc666d510d.vbs"
        9⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp68F6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp68F6.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp68F6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp68F6.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp68F6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp68F6.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b20d539d-e4e0-44d5-b028-4322160a1d58.vbs"
        7⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp3851.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3851.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp3851.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3851.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:4260
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fdaa5e4-aa0d-4531-b7f3-82ccd53b5eba.vbs"
        5⤵
        
        PID:3644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b74bb368-a880-43b5-b2ce-d4ddf4bc7e80.vbs"
    3⤵
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:720
      - C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe

Filesize
4.9MB

MD5
2e721cd0b41361048ffeaf94be64a090

SHA1
0d5c61de07649f07f150785959ca3853f5d0529a

SHA256
d588c89ff1cee433b3b5d503e0adae787d8fbf8e516638cde0033de331aea1bb

SHA512
b9c264122c8e0eeb6007373d545a04900e0b9fc7866470b1fac7482f43972aab44352296e96076a898871e0962758bda3aba3e5aabee0d588b12a211d349f5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76692775e4781f0c9f0092f5804cfdb1

SHA1
6740e4e4110028c62282ee1e7eb8be576a2bc23a

SHA256
0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00

SHA512
6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a1ade61-c829-44f6-9851-b36b804452c3.vbs

Filesize
729B

MD5
02f20e3c4c5fde52f0ccf621e5251447

SHA1
249120304a34808fb747489fe5c1bea8b337caa8

SHA256
58b41c16e14f5d00c3c5efc75d1279ee5ce5f314e5de1333e146054b317d46cb

SHA512
bed309a8d10a8ca31aace328dd35038e762eb1a251230096543cf18c6f28a3eb62b737c7232196fd0de6e775cff8d152c00841d495dfab8c3be97cff1ef5aee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b8e3667-64a9-434f-a2dd-5e925f1b250b.vbs

Filesize
729B

MD5
3194dd3602dc8ef1452268e95e797839

SHA1
177c33cac167bdc08ff1fcd1951614e097ce4e74

SHA256
444991858ce9be4346949f1d915fac9c239df722731e62925e4698b4c36e97b5

SHA512
28473054c4db2483eabc0531f146dfc6e13e3aa8d8c1cff2031d29e50e77391a082ef57d3616171ab022d1fd1ad47534affaf1e51333a87453abf93600b6acf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecbicsak.uhk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b536c9a2-a0bb-42ca-9f25-20d25acb14e9.vbs

Filesize
729B

MD5
14b39844d4018fe36a90f4db4799f143

SHA1
44b3d9ba3f9295883f13683b7346d652ef9797dd

SHA256
fa8d986ae9c83dfd64ade8aa4fdb517a5e0bf0ac85deab9a8eea011da7beb49b

SHA512
c48d2460204209e690a07d83dfb3b25b74e8dbc4b5e83546fd32a52dc96d9acb693a7f508ee867ba9af88d444bccf382af2eabed0899ee93552802aab5eea53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b74bb368-a880-43b5-b2ce-d4ddf4bc7e80.vbs

Filesize
505B

MD5
eebac13048f15cdea1489a654b7a3747

SHA1
23fa5a921a87d2fd6bbc75c46ccf83cc76299354

SHA256
f2044f7f118e58385d23cfe1eda5e075c2e50f33b5684e2ae537d3fe60c1a938

SHA512
379e490094ec98e4092afff218ef72665f405692d434c5d5ad93577208135b4884215caa809b3482629baf0579a2733118ca5e068b576bf566a10fe0d626fc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\bac17533-be62-40be-8585-1d22983474d2.vbs

Filesize
729B

MD5
8fdfaf522699830029f76124e4239598

SHA1
59cce5bd0fcb61c54d5b19593eaa5a3c84067703

SHA256
418f6140ad40e59e2b73d0ecec2e11e2cc0fc3b8edb69c288d4da7b0fd91bb2a

SHA512
9cbdc867d7b9fff922d6c0650a83216bca6b084cdc9051618ea1a90a71b62293f2d24148b35d7791f46b65f9bdaf3b82c7cb779a1657ba3fe667e3df26e45623

Download Submit
C:\Users\Admin\AppData\Local\Temp\c29de8fb-c471-44ea-9ac1-c7ad4bfa0040.vbs

Filesize
729B

MD5
0832a14ad6f4543dcfa4904406921e2b

SHA1
a085ed04309195eb1d0d6d9d19434355e5b6a66b

SHA256
c66c390d953948a93b651858238a4cb2a4043ccb761998e9820f42982b692fb0

SHA512
c23d399ed736923854a961c562d1e15055c8b4e377aff0b647790050d75aa8276597745e2c681615cf837cf67c3fc12cc63a4c1c3fe42d201e17783cfcbd2d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1BB.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Public\AccountPictures\csrss.exe

Filesize
4.9MB

MD5
339583ec2aeaadf123492de0470fba00

SHA1
a4049f822c9a5bb9d6008afba971abf176f49b8b

SHA256
8178a264732e71083375bc4a1acf39b4bf68c7c436817404ce03002c87c74ddc

SHA512
fda5912eeec53cc7adacb8840ab91e0373af32d0545a4738209b01d0df49ef1739bd5982a343ab40021bce830a7373fd40dc874b1d071ba4a5e3376768725512

Download Submit
memory/800-12-0x000000001C910000-0x000000001CE38000-memory.dmp

Filesize
5.2MB

Download
memory/800-6-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/800-16-0x000000001BD40000-0x000000001BD48000-memory.dmp

Filesize
32KB

Download
memory/800-0-0x00007FFE4EBC3000-0x00007FFE4EBC5000-memory.dmp

Filesize
8KB

Download
memory/800-149-0x00007FFE4EBC3000-0x00007FFE4EBC5000-memory.dmp

Filesize
8KB

Download
memory/800-11-0x000000001BD00000-0x000000001BD12000-memory.dmp

Filesize
72KB

Download
memory/800-17-0x000000001BD50000-0x000000001BD58000-memory.dmp

Filesize
32KB

Download
memory/800-215-0x00007FFE4EBC0000-0x00007FFE4F681000-memory.dmp

Filesize
10.8MB

Download
memory/800-317-0x00007FFE4EBC0000-0x00007FFE4F681000-memory.dmp

Filesize
10.8MB

Download
memory/800-14-0x000000001BD20000-0x000000001BD2E000-memory.dmp

Filesize
56KB

Download
memory/800-15-0x000000001BD30000-0x000000001BD3E000-memory.dmp

Filesize
56KB

Download
memory/800-13-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/800-1-0x0000000000920000-0x0000000000E14000-memory.dmp

Filesize
5.0MB

Download
memory/800-2-0x00007FFE4EBC0000-0x00007FFE4F681000-memory.dmp

Filesize
10.8MB

Download
memory/800-3-0x000000001BBC0000-0x000000001BCEE000-memory.dmp

Filesize
1.2MB

Download
memory/800-5-0x000000001C390000-0x000000001C3E0000-memory.dmp

Filesize
320KB

Download
memory/800-8-0x0000000002FA0000-0x0000000002FB6000-memory.dmp

Filesize
88KB

Download
memory/800-9-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/800-7-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/800-18-0x000000001BD60000-0x000000001BD6C000-memory.dmp

Filesize
48KB

Download
memory/800-4-0x0000000002F70000-0x0000000002F8C000-memory.dmp

Filesize
112KB

Download
memory/800-10-0x000000001BCF0000-0x000000001BCFA000-memory.dmp

Filesize
40KB

Download
memory/1672-6736-0x000000001B8F0000-0x000000001B902000-memory.dmp

Filesize
72KB

Download
memory/4524-214-0x0000022C6B100000-0x0000022C6B122000-memory.dmp

Filesize
136KB

Download
memory/4604-80-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4640-6161-0x000000001B560000-0x000000001B572000-memory.dmp

Filesize
72KB

Download
memory/4768-930-0x000000001C480000-0x000000001C492000-memory.dmp

Filesize
72KB

Download