colibri | b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a

Resubmissions

25-09-2024 18:20

240925-wy2v4atbmg 10

25-09-2024 18:14

240925-wvqcwsshpe 10

Analysis

max time kernel
113s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Size

4.9MB
MD5

5a9fb15e8fc1d8162c861ca1544f38f0
SHA1

a7606e286eb27a1a5e95693c594de5c65c5d7aa1
SHA256

b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a
SHA512

a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3436	schtasks.exe	82

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1104-3-0x000000001BC90000-0x000000001BDBE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3628	powershell.exe
640	powershell.exe
1272	powershell.exe
3780	powershell.exe
324	powershell.exe
2104	powershell.exe
4808	powershell.exe
1956	powershell.exe
3704	powershell.exe
3732	powershell.exe
3020	powershell.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 64 IoCs

pid	Process
3784	tmp8937.tmp.exe
1936	tmp8937.tmp.exe
2280	RuntimeBroker.exe
3236	tmpD8BC.tmp.exe
4680	tmpD8BC.tmp.exe
3628	RuntimeBroker.exe
3996	tmpF50E.tmp.exe
708	tmpF50E.tmp.exe
920	tmpF50E.tmp.exe
3732	RuntimeBroker.exe
3548	tmp243C.tmp.exe
2016	tmp243C.tmp.exe
4144	RuntimeBroker.exe
4664	tmp556E.tmp.exe
5080	tmp556E.tmp.exe
516	RuntimeBroker.exe
1916	tmp86DE.tmp.exe
2744	tmp86DE.tmp.exe
3392	RuntimeBroker.exe
1220	tmpB83F.tmp.exe
3020	tmpB83F.tmp.exe
1532	tmpB83F.tmp.exe
3396	tmpB83F.tmp.exe
3724	tmpB83F.tmp.exe
220	tmpB83F.tmp.exe
1900	tmpB83F.tmp.exe
3528	tmpB83F.tmp.exe
436	tmpB83F.tmp.exe
3100	tmpB83F.tmp.exe
2076	tmpB83F.tmp.exe
3672	tmpB83F.tmp.exe
3280	tmpB83F.tmp.exe
1604	tmpB83F.tmp.exe
4620	tmpB83F.tmp.exe
3644	tmpB83F.tmp.exe
3236	tmpB83F.tmp.exe
396	tmpB83F.tmp.exe
5080	tmpB83F.tmp.exe
4680	tmpB83F.tmp.exe
4092	tmpB83F.tmp.exe
2388	tmpB83F.tmp.exe
5076	tmpB83F.tmp.exe
1500	tmpB83F.tmp.exe
3716	tmpB83F.tmp.exe
2384	tmpB83F.tmp.exe
1676	tmpB83F.tmp.exe
3728	tmpB83F.tmp.exe
2180	tmpB83F.tmp.exe
2284	tmpB83F.tmp.exe
4972	tmpB83F.tmp.exe
3316	tmpB83F.tmp.exe
1360	tmpB83F.tmp.exe
744	tmpB83F.tmp.exe
2248	tmpB83F.tmp.exe
2156	tmpB83F.tmp.exe
920	tmpB83F.tmp.exe
1780	tmpB83F.tmp.exe
3780	tmpB83F.tmp.exe
2232	tmpB83F.tmp.exe
4968	tmpB83F.tmp.exe
1520	tmpB83F.tmp.exe
2304	tmpB83F.tmp.exe
4804	tmpB83F.tmp.exe
956	tmpB83F.tmp.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3784 set thread context of 1936	3784	tmp8937.tmp.exe	139
PID 3236 set thread context of 4680	3236	tmpD8BC.tmp.exe	176
PID 708 set thread context of 920	708	tmpF50E.tmp.exe	184
PID 3548 set thread context of 2016	3548	tmp243C.tmp.exe	191
PID 4664 set thread context of 5080	4664	tmp556E.tmp.exe	197
PID 1916 set thread context of 2744	1916	tmp86DE.tmp.exe	203
PID 948 set thread context of 2512	948	tmpE923.tmp.exe	877
PID 3112 set thread context of 3836	3112	Process not Found	1204
PID 1652 set thread context of 2044	1652	Process not Found	1567

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\csrss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Mail\RCXA8F3.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Media Player\ja-JP\121e5b5079f7c0	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Mail\886983d96e3d3e	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Internet Explorer\RuntimeBroker.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\sysmon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Internet Explorer\RuntimeBroker.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Media Player\ja-JP\sysmon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX935E.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9A75.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Mail\csrss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCXA6DF.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\dllhost.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\9e8d7a4ca61bd9	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Defender\c5b4cb5e9653cc	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX9C89.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Defender\services.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Internet Explorer\9e8d7a4ca61bd9	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\22eafd247d37c3	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Defender\services.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Defender\RCX97F3.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX87EE.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX8C27.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\Packages\services.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\Provisioning\Packages\c5b4cb5e9653cc	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\Globalization\56085415360792	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\Performance\winlogon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Globalization\wininit.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Performance\winlogon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\System\Speech\RuntimeBroker.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\Globalization\wininit.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\Performance\cc11b995f2a76d	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Provisioning\Packages\RCX8E5A.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Provisioning\Packages\services.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Globalization\RCX90DC.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Performance\RCXA0B2.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB83F.tmp.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5020	schtasks.exe
3660	schtasks.exe
2720	schtasks.exe
4116	schtasks.exe
1800	schtasks.exe
4556	schtasks.exe
3544	schtasks.exe
1316	schtasks.exe
4344	schtasks.exe
2484	schtasks.exe
1044	schtasks.exe
220	schtasks.exe
1948	schtasks.exe
2620	schtasks.exe
3596	schtasks.exe
3240	schtasks.exe
3040	schtasks.exe
1972	schtasks.exe
4264	schtasks.exe
3068	schtasks.exe
1672	schtasks.exe
3440	schtasks.exe
2172	schtasks.exe
3572	schtasks.exe
428	schtasks.exe
2812	schtasks.exe
1424	schtasks.exe
4356	schtasks.exe
1472	schtasks.exe
1568	schtasks.exe
1652	schtasks.exe
1956	schtasks.exe
1732	schtasks.exe
1768	schtasks.exe
4516	schtasks.exe
1020	schtasks.exe
3704	schtasks.exe
4636	schtasks.exe
2904	schtasks.exe
1228	schtasks.exe
3260	schtasks.exe
3564	schtasks.exe
2616	schtasks.exe
1068	schtasks.exe
3324	schtasks.exe
4952	schtasks.exe
2880	schtasks.exe
3628	schtasks.exe
4000	schtasks.exe
2168	schtasks.exe
5088	schtasks.exe
5032	schtasks.exe
2388	schtasks.exe
4228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
3780	powershell.exe
3780	powershell.exe
3732	powershell.exe
3732	powershell.exe
1956	powershell.exe
1956	powershell.exe
324	powershell.exe
324	powershell.exe
2104	powershell.exe
2104	powershell.exe
3704	powershell.exe
3704	powershell.exe
4808	powershell.exe
4808	powershell.exe
640	powershell.exe
640	powershell.exe
3628	powershell.exe
3628	powershell.exe
1272	powershell.exe
1272	powershell.exe
3020	powershell.exe
3020	powershell.exe
3628	powershell.exe
3732	powershell.exe
3780	powershell.exe
640	powershell.exe
1956	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2280	RuntimeBroker.exe
Token: SeDebugPrivilege	3628	RuntimeBroker.exe
Token: SeDebugPrivilege	3732	RuntimeBroker.exe
Token: SeDebugPrivilege	4144	RuntimeBroker.exe
Token: SeDebugPrivilege	516	RuntimeBroker.exe
Token: SeDebugPrivilege	3392	RuntimeBroker.exe
Token: SeDebugPrivilege	3296	RuntimeBroker.exe
Token: SeDebugPrivilege	4620	RuntimeBroker.exe
Token: SeDebugPrivilege	948	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 3784	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	137
PID 1104 wrote to memory of 3784	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	137
PID 1104 wrote to memory of 3784	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	137
PID 3784 wrote to memory of 1936	3784	tmp8937.tmp.exe	139
PID 3784 wrote to memory of 1936	3784	tmp8937.tmp.exe	139
PID 3784 wrote to memory of 1936	3784	tmp8937.tmp.exe	139
PID 3784 wrote to memory of 1936	3784	tmp8937.tmp.exe	139
PID 3784 wrote to memory of 1936	3784	tmp8937.tmp.exe	139
PID 3784 wrote to memory of 1936	3784	tmp8937.tmp.exe	139
PID 3784 wrote to memory of 1936	3784	tmp8937.tmp.exe	139
PID 1104 wrote to memory of 3020	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	143
PID 1104 wrote to memory of 3020	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	143
PID 1104 wrote to memory of 3732	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	144
PID 1104 wrote to memory of 3732	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	144
PID 1104 wrote to memory of 3780	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	145
PID 1104 wrote to memory of 3780	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	145
PID 1104 wrote to memory of 1272	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	146
PID 1104 wrote to memory of 1272	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	146
PID 1104 wrote to memory of 3704	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	147
PID 1104 wrote to memory of 3704	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	147
PID 1104 wrote to memory of 640	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	148
PID 1104 wrote to memory of 640	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	148
PID 1104 wrote to memory of 1956	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	149
PID 1104 wrote to memory of 1956	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	149
PID 1104 wrote to memory of 4808	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	150
PID 1104 wrote to memory of 4808	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	150
PID 1104 wrote to memory of 3628	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	151
PID 1104 wrote to memory of 3628	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	151
PID 1104 wrote to memory of 2104	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	152
PID 1104 wrote to memory of 2104	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	152
PID 1104 wrote to memory of 324	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	153
PID 1104 wrote to memory of 324	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	153
PID 1104 wrote to memory of 1568	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	164
PID 1104 wrote to memory of 1568	1104	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	164
PID 1568 wrote to memory of 1064	1568	cmd.exe	168
PID 1568 wrote to memory of 1064	1568	cmd.exe	168
PID 1568 wrote to memory of 2280	1568	cmd.exe	171
PID 1568 wrote to memory of 2280	1568	cmd.exe	171
PID 2280 wrote to memory of 4516	2280	RuntimeBroker.exe	172
PID 2280 wrote to memory of 4516	2280	RuntimeBroker.exe	172
PID 2280 wrote to memory of 4472	2280	RuntimeBroker.exe	173
PID 2280 wrote to memory of 4472	2280	RuntimeBroker.exe	173
PID 2280 wrote to memory of 3236	2280	RuntimeBroker.exe	174
PID 2280 wrote to memory of 3236	2280	RuntimeBroker.exe	174
PID 2280 wrote to memory of 3236	2280	RuntimeBroker.exe	174
PID 3236 wrote to memory of 4680	3236	tmpD8BC.tmp.exe	176
PID 3236 wrote to memory of 4680	3236	tmpD8BC.tmp.exe	176
PID 3236 wrote to memory of 4680	3236	tmpD8BC.tmp.exe	176
PID 3236 wrote to memory of 4680	3236	tmpD8BC.tmp.exe	176
PID 3236 wrote to memory of 4680	3236	tmpD8BC.tmp.exe	176
PID 3236 wrote to memory of 4680	3236	tmpD8BC.tmp.exe	176
PID 3236 wrote to memory of 4680	3236	tmpD8BC.tmp.exe	176
PID 4516 wrote to memory of 3628	4516	WScript.exe	177
PID 4516 wrote to memory of 3628	4516	WScript.exe	177
PID 3628 wrote to memory of 3724	3628	RuntimeBroker.exe	178
PID 3628 wrote to memory of 3724	3628	RuntimeBroker.exe	178
PID 3628 wrote to memory of 2128	3628	RuntimeBroker.exe	179
PID 3628 wrote to memory of 2128	3628	RuntimeBroker.exe	179
PID 3628 wrote to memory of 3996	3628	RuntimeBroker.exe	181
PID 3628 wrote to memory of 3996	3628	RuntimeBroker.exe	181
PID 3628 wrote to memory of 3996	3628	RuntimeBroker.exe	181
PID 3996 wrote to memory of 708	3996	tmpF50E.tmp.exe	183
PID 3996 wrote to memory of 708	3996	tmpF50E.tmp.exe	183
PID 3996 wrote to memory of 708	3996	tmpF50E.tmp.exe	183

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
"C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1104
- C:\Users\Admin\AppData\Local\Temp\tmp8937.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8937.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\tmp8937.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp8937.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOIWOltBet.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1064
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2280
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8295457-c329-4925-8a9d-9145a719c23d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3628
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b69d36d9-84b1-4fcf-b621-f92cbde3099a.vbs"
        6⤵
        
        PID:3724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75843cc5-ce3f-4b70-a083-8a61de191ed3.vbs"
        8⤵
        
        PID:2540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22cd85fd-2cfc-4ff4-ae03-ec0b54f2d719.vbs"
        10⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1fde7c2-e01b-468b-8032-fcc8c0031afa.vbs"
        12⤵
        
        PID:4056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a66160d4-331a-4b8d-bd23-2fdbf74406e1.vbs"
        14⤵
        
        PID:5088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f165e62a-c2c5-49d3-b34d-de3b6d35c850.vbs"
        16⤵
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9eccf28-85f7-432b-a326-b67de3dc6a8f.vbs"
        18⤵
        
        PID:4032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1da69fc-3e05-4870-a4c9-c525e93340d5.vbs"
        18⤵
        
        PID:3808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d15e256a-82e0-433c-800d-9ca4b05229f3.vbs"
        16⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmpE923.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE923.tmp.exe"
        16⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmpE923.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE923.tmp.exe"
        17⤵
        Suspicious use of SetThreadContext
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmpE923.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE923.tmp.exe"
        18⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a27e29c0-49fc-4326-a64f-7ca9909e1f8b.vbs"
        14⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        39⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        41⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        43⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        45⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        50⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        51⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        52⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        53⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        54⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        55⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        56⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        57⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        58⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        60⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        61⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        62⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        63⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        64⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        65⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        66⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        67⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        68⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        69⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        70⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        71⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        72⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        73⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        74⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        75⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        76⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        77⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        78⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        79⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        80⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        81⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        82⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        83⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        84⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        85⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        86⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        87⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        88⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        89⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        90⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        91⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        92⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        94⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        95⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        96⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        97⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        98⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        99⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        100⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        101⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        102⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        103⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        104⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        105⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        106⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        107⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        108⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        109⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        110⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        111⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        112⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        113⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        114⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        115⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        116⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        117⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        118⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        119⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        120⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        121⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        122⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        123⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        124⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        125⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        126⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        128⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        129⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        130⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        131⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        132⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        133⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        134⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        135⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        136⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        138⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        139⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        140⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        141⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        142⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        143⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        144⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        145⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        146⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        147⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        148⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        149⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        150⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        151⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        152⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        153⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        154⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        155⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        156⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        157⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        159⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        160⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        161⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        162⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        163⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        164⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        165⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        166⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        167⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        168⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        169⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        170⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        171⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        172⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        173⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        174⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        175⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        176⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        177⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        178⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        179⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        180⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        181⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        182⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        183⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        184⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        185⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        186⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        187⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        188⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        189⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        190⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        191⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        192⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        194⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        195⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        196⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        197⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        198⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        199⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        200⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        201⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        202⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        204⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        205⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        206⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        207⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        208⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        209⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        210⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        211⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        212⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        213⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        214⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        215⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        217⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        218⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        219⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        220⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        221⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        222⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        223⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        224⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        225⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        226⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        227⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        228⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        229⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        230⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        231⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        232⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        234⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        235⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        236⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        237⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        238⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        239⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        240⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        241⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        242⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        243⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        244⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        245⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        246⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        247⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        248⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        249⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        250⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        251⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        252⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        253⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        254⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        255⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        257⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        258⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        259⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        260⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        261⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        262⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        263⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        264⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        265⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        266⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        267⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        268⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        269⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        270⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        271⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        272⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        273⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        274⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        275⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        276⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        277⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        278⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        280⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        282⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        283⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        284⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        285⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        286⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        287⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        288⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        289⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        291⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        292⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        293⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        294⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        295⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        297⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        298⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        299⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        300⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        301⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        302⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        303⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        304⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        305⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        306⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        307⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        308⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        309⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        310⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        311⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        312⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        313⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        314⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        315⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        316⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        317⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        318⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        319⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        320⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        321⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        322⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        323⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        324⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        325⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        326⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        327⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        328⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        329⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        330⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        331⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        332⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        333⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        334⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        335⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        337⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        338⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        339⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        340⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        341⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        342⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        344⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        345⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        346⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        347⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        348⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        349⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        350⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        351⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        352⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        353⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        354⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        355⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        356⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        357⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        358⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        359⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        360⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        361⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        362⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        363⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        364⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        365⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        366⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        367⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        368⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        369⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        370⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        371⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        372⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        373⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        374⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        375⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        376⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        377⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        378⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        379⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        380⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        381⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        382⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        383⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        384⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        385⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        386⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        387⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        388⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        389⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        390⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        391⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        392⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        393⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        394⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        395⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        396⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        397⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        398⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        399⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        400⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        401⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        402⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        403⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        404⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        405⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        406⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        407⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        408⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        409⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        410⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        411⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        412⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        413⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        414⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        415⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        416⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        417⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        418⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        419⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        420⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        421⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        422⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        423⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        424⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        425⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        426⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        427⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        428⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        429⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        430⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        431⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        432⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        433⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        434⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        435⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        436⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        437⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        438⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        439⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        440⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        441⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        442⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        443⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        444⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        445⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        446⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        447⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        448⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        449⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        450⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        451⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        452⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        453⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        454⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        455⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        456⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        457⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        458⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        459⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        460⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        461⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        462⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        463⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        464⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        465⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        466⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        467⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        468⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        469⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        470⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        471⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        472⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        473⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        474⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        475⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        476⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        477⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        478⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        479⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        480⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        481⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        482⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        483⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        484⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        485⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        486⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        487⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        488⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        489⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        490⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        491⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        492⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        493⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        494⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        495⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        496⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        497⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        498⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        499⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        500⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        501⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        502⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        503⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        504⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        505⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        506⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        507⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        508⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        509⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        510⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        511⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        512⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        513⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        514⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        515⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        516⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        517⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        518⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        519⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        520⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        521⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        522⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        523⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        524⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        525⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        526⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        527⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        528⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        529⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        530⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        531⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        532⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        533⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        534⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        535⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        536⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        537⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        538⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        539⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        540⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        541⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        542⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        543⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        544⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        545⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        546⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        547⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        548⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        549⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        550⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        551⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        552⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        553⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        554⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        555⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        556⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        557⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        558⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        559⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        560⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        561⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        562⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        563⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        564⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        565⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        566⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        567⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        568⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        569⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        570⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        571⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        572⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        573⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        574⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        575⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        576⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        577⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        578⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        579⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        580⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        581⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        582⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        583⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        584⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        585⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        586⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        587⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        588⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        589⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        590⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        591⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        592⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        593⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        594⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        595⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        596⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        597⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        598⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        599⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        600⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        601⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        602⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        603⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        604⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        605⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        606⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        607⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        608⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        609⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        610⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        611⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        612⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        613⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        614⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        615⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        616⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        617⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        618⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        619⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        620⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        621⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        622⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        623⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        624⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        625⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        626⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        627⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        628⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        629⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        630⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        631⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        632⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        633⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        634⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        635⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        636⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        637⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        638⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        639⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        640⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        641⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        642⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        643⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        644⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        645⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        646⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        647⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        648⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        649⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        650⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        651⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        652⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        653⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        654⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        655⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        656⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        657⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        658⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        659⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        660⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        661⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        662⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        663⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        664⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        665⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        666⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        667⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        668⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        669⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        670⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        671⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        672⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        673⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        674⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        675⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        676⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        677⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        678⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        679⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        680⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        681⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        682⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        683⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        684⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        685⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        686⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        687⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        688⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        689⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        690⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        691⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        692⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        693⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        694⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        695⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        696⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        697⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        698⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        699⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        700⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        701⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        702⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        703⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        704⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        705⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        706⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        707⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        708⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        709⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        710⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        711⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        712⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        713⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        714⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        715⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        716⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        717⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        718⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        719⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        720⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        721⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        722⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        723⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        724⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        725⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        726⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        727⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        728⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        729⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        730⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        731⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        732⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        733⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        734⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        735⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        736⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        737⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        738⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        739⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        740⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        741⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        742⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        743⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        744⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        745⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        746⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        747⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        748⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        749⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        750⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        751⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        752⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        753⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        754⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        755⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        756⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        757⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        758⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        759⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        760⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        761⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        762⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        763⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        764⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        765⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        766⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        767⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        768⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        769⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        770⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        771⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        772⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        773⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        774⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        775⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        776⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        777⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        778⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        779⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        780⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        781⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        782⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        783⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        784⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        785⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        786⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        787⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        788⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        789⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        790⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        791⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        792⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        793⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        794⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        795⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        796⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        797⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        798⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        799⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        800⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        801⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        802⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        803⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        804⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        805⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        806⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        807⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        808⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        809⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        810⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        811⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        812⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        813⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        814⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        815⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        816⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        817⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        818⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        819⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        820⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        821⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        822⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        823⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        824⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        825⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        826⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        827⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        828⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        829⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        830⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        831⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        832⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        833⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        834⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        835⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        836⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        837⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        838⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        839⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        840⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        841⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        842⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        843⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        844⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        845⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        846⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        847⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        848⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        849⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        850⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        851⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        852⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        853⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        854⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        855⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        856⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        857⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        858⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        859⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        860⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        861⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        862⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        863⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        864⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        865⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        866⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        867⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        868⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        869⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        870⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        871⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        872⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        873⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        874⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        875⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        876⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        877⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        878⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        879⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        880⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        881⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        882⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        883⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        884⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        885⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        886⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        887⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        888⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        889⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        890⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        891⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        892⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        893⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        894⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        895⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        896⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        897⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        898⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        899⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        900⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        901⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        902⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        903⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        904⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        905⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        906⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        907⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        908⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        909⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        910⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        911⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        912⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        913⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        914⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        915⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        916⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        917⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        918⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        919⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        920⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        921⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        922⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        923⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        924⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        925⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        926⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        927⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        928⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB83F.tmp.exe"
        929⤵
        
        PID:3820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59090c80-8897-41cc-8e02-7390f88062ac.vbs"
        12⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp86DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp86DE.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp86DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp86DE.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3506bf3b-5e33-417e-8587-2d8a2cc21132.vbs"
        10⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp556E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp556E.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp556E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp556E.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4a608c7-27f9-4f71-bcf6-2be167ba1956.vbs"
        8⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp243C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp243C.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp243C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp243C.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:2016
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\251c8774-3879-4d97-aa4b-2c5ab6b6252c.vbs"
        6⤵
        
        PID:2128
      - C:\Users\Admin\AppData\Local\Temp\tmpF50E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF50E.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmpF50E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF50E.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmpF50E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF50E.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:920
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01f9bcc-7b90-4ee9-b9d4-de4792b16004.vbs"
      4⤵
      PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\tmpD8BC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD8BC.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\tmpD8BC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD8BC.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Packages\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Packages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Globalization\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\ja-JP\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe

Filesize
4.9MB

MD5
95176c42771becda19c1c279c475d061

SHA1
79ce4145704d401a04c619ff7a3464ed68cb5e0c

SHA256
ef9e138591cfe23a9e7fd6aab3ed30e56a2dc5ae76916309fcfd223762693a4c

SHA512
9aca43b397c66a1dbcd17ba4f418921a826f71d21f8bcff91a1e59338f59d9a9af824058ea1e7510247b45bb6b9ab4224cf9c1cecc92ecf7dc2cc4545336bc6d

Download Submit
C:\Program Files\Windows Defender\services.exe

Filesize
4.9MB

MD5
7f520f773cc8fb736b927f3a1832c06a

SHA1
3631b94111cddf94ad44020520bc6690a67e1b3b

SHA256
9fe786de9ff33ce0c70e33543e92d6ad4eb74e68eacb0402e0fb2986ccc0afa8

SHA512
8dd685ed55e8d681b6b7eefdcc829afc14978be86a082300b2f5a348907645b49f1c32261f430df17d4cfd7b45d13d702fda6585684e7a3d5502fdc87b81775f

Download Submit
C:\Program Files\Windows Mail\csrss.exe

Filesize
4.9MB

MD5
cd626721ddbf36b45d9fdfd603d57527

SHA1
a6bd615cf2fa4f8510f3444f04c45e85c9b35d06

SHA256
3ec63e1292ebd43b37c4aaedf1b5fa5e860ee39e121da81f6731f76e560967d7

SHA512
2572d303327014b4aabd2cb27efcae9698e9b84b873f9ea26f534c742b007527174348537f10e37a90ae5bdd33d0dd382fe48aef9915550c59adad75a49f0660

Download Submit
C:\Program Files\Windows Media Player\ja-JP\RCXA6DF.tmp

Filesize
4.9MB

MD5
2228adbd2542141c92d290f60603e545

SHA1
b67c9d4697d780eb71292d9f6c1aed2a54903ba0

SHA256
f4ef22ceffd287e5ca738827a0bd9c6251f006c8a5ef672581e5bc2dbf331b61

SHA512
9136a33859b2a4926e341bb8bd60b9e0ac554321b9a420356510c3ac2e893625cd1410812eee5c975cdd3ce61352222ca0c0209e3d1873022c7776fd76a4203c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\22cd85fd-2cfc-4ff4-ae03-ec0b54f2d719.vbs

Filesize
740B

MD5
bf8ba9adecabd69eee83e47784797468

SHA1
268fbde4932e321c85fb946cf6407592a09d645d

SHA256
d9bb3a7376c0753065b960ead12143f1bf2442c202ea3e41436ec6d56c1eeace

SHA512
a9be2871f2e78061ae660cc3a422dae3d26e25c1b7c26b558bb4beb4f9cca16f07062e8d6efdd32d38d8eb1fa138f0d058819c063555afcfdb7aa08207844915

Download Submit
C:\Users\Admin\AppData\Local\Temp\75843cc5-ce3f-4b70-a083-8a61de191ed3.vbs

Filesize
740B

MD5
4a232685c7af681a1b08979b6a5be780

SHA1
704d0baa54a4765f79e33fbe324a82520e2729f2

SHA256
6b709ec318c5bfe1ca08e90c98355097673e2d4f2e607800b967fb0debc9a60c

SHA512
980e75d5024f8ce05f18b9ef5654124ea8f8dfe39e4fff08ddcb2fa5e70835db09e9384ac9cbec1e2498f04dce057b0a22ceec0aa6b79464db4dd057f47e9e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qt1z5fuw.x1n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1fde7c2-e01b-468b-8032-fcc8c0031afa.vbs

Filesize
739B

MD5
fa6cd8ecf62b8ed931136ca4c562e04d

SHA1
3e4f8913035223b0620e5924fc002102f2d41fbb

SHA256
9c66cd4a4b3d859cf2131c2e50d23b5f5e3a563ff537c5c7a0cf3a869f4eb622

SHA512
284278cb00499c74c514047a643aa5ebfca960dc740e621b992bd59eb359e3e33c7bfe7096dcaf4dca29d6b4a1eb5f777098794b1a58647dc5a4aa509d280442

Download Submit
C:\Users\Admin\AppData\Local\Temp\a66160d4-331a-4b8d-bd23-2fdbf74406e1.vbs

Filesize
740B

MD5
5e8fa943387a29c7f58de5bd1432609f

SHA1
db24cc683326027d35c417191fd160dd8f0aed71

SHA256
b26e07a38d7ed5a2f68f9adce5a731a72a68c68998076669aa3c9bcdd95247f5

SHA512
da40fee390f57a6a9762fe97161254354b94574d71ba1511c0192fb96bef330b668b63217f4722f2980e89f00819e0e796cf441cee6a7f8b1a7d8c6ec63f43dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8295457-c329-4925-8a9d-9145a719c23d.vbs

Filesize
740B

MD5
fd8d4b3ea7861fa4c86f1c8620188572

SHA1
00c40f37df253bcb58977719fe70cddad5cb22ee

SHA256
8f9cc78ad8247a3fc575e4a2db8ead2a1e82ab0ae03e3d243222046ae6f922bd

SHA512
5b53f5403671729f8591c00be29fd0673c7a8dbae66349b115ed4598a7582a7444ce841f6462571756fd7c21390d19fe8998f0c3c7ac89ec284e7839520bb664

Download Submit
C:\Users\Admin\AppData\Local\Temp\b01f9bcc-7b90-4ee9-b9d4-de4792b16004.vbs

Filesize
516B

MD5
e9356cd6aeb2148fb37662983507d880

SHA1
99d1ea91fd638255b22e5d79d6fe85e4477dc2cf

SHA256
ca98a3baa479f3577db2ba7e5b8be0931ff751dd2518543dc3083fef93499075

SHA512
40b696bee57cceae9d4c4f82a0ad8218d0f21316831580466e84a2adf6e46d4766e624e421b8be94dad7e53bda004b276dca475cf4707fe0eda498634b7e659c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b69d36d9-84b1-4fcf-b621-f92cbde3099a.vbs

Filesize
740B

MD5
e5f59e0a9396e48b3a13520b30b30da2

SHA1
916193fd76bb6c72cf0de5d328f046781cfc2234

SHA256
331f6799f2d73e7de95dba74f6c132a7a468a40eb8618e91458611fe0c5e3bab

SHA512
327c00ab8d91218eeb5700c85bf956281e8dae0653a419ae081f5709baa5d92cbb41f549d6ac209ec45ae7a300fca04a941ec82af3dd1c6a52c187eec8aae74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8937.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOIWOltBet.bat

Filesize
229B

MD5
98cc89e80a111c5446c158bfcff322b4

SHA1
7a46061d5512e04715f5b277e2fe5310c00bd3de

SHA256
2ca9c6650c07fb812196006ad58d77acd2a63404d82fcf51df80f5cc758517c1

SHA512
ecec0a4c9820ead3ea04f3b1ecc1ef3c357a6929196e544d2fb80895ff2b3a64349836fe055dc19ec41c4ac7cb557259b52f293091fdc5b8f250bccbbaf8e2d1

Download Submit
C:\Windows\Globalization\wininit.exe

Filesize
4.9MB

MD5
5a9fb15e8fc1d8162c861ca1544f38f0

SHA1
a7606e286eb27a1a5e95693c594de5c65c5d7aa1

SHA256
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a

SHA512
a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d

Download Submit
memory/1104-13-0x000000001C490000-0x000000001C49A000-memory.dmp

Filesize
40KB

Download
memory/1104-11-0x000000001C480000-0x000000001C492000-memory.dmp

Filesize
72KB

Download
memory/1104-149-0x00007FFAEF173000-0x00007FFAEF175000-memory.dmp

Filesize
8KB

Download
memory/1104-197-0x00007FFAEF170000-0x00007FFAEFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1104-0-0x0000000000A90000-0x0000000000F84000-memory.dmp

Filesize
5.0MB

Download
memory/1104-2-0x00007FFAEF170000-0x00007FFAEFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1104-18-0x000000001C530000-0x000000001C53C000-memory.dmp

Filesize
48KB

Download
memory/1104-16-0x000000001C510000-0x000000001C518000-memory.dmp

Filesize
32KB

Download
memory/1104-17-0x000000001C520000-0x000000001C528000-memory.dmp

Filesize
32KB

Download
memory/1104-12-0x000000001CA20000-0x000000001CF48000-memory.dmp

Filesize
5.2MB

Download
memory/1104-14-0x000000001C4F0000-0x000000001C4FE000-memory.dmp

Filesize
56KB

Download
memory/1104-15-0x000000001C500000-0x000000001C50E000-memory.dmp

Filesize
56KB

Download
memory/1104-1-0x00007FFAEF173000-0x00007FFAEF175000-memory.dmp

Filesize
8KB

Download
memory/1104-164-0x00007FFAEF170000-0x00007FFAEFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1104-10-0x000000001C470000-0x000000001C47A000-memory.dmp

Filesize
40KB

Download
memory/1104-8-0x000000001C450000-0x000000001C466000-memory.dmp

Filesize
88KB

Download
memory/1104-3-0x000000001BC90000-0x000000001BDBE000-memory.dmp

Filesize
1.2MB

Download
memory/1104-9-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/1104-6-0x0000000003040000-0x0000000003048000-memory.dmp

Filesize
32KB

Download
memory/1104-7-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/1104-5-0x000000001C4A0000-0x000000001C4F0000-memory.dmp

Filesize
320KB

Download
memory/1104-4-0x0000000003060000-0x000000000307C000-memory.dmp

Filesize
112KB

Download
memory/1936-81-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2280-325-0x0000000000870000-0x0000000000D64000-memory.dmp

Filesize
5.0MB

Download
memory/3392-446-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/3732-376-0x000000001D140000-0x000000001D152000-memory.dmp

Filesize
72KB

Download
memory/3780-207-0x000001B3AE7D0000-0x000001B3AE7F2000-memory.dmp

Filesize
136KB

Download