colibri | 8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Size

4.9MB
MD5

87c0d521f3387245929438143a477b30
SHA1

d427908e35f8a94c83750d923b32c91583091981
SHA256

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93
SHA512

f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2740	schtasks.exe	84

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2652-2-0x000000001C1D0000-0x000000001C2FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe
4732	powershell.exe
4572	powershell.exe
4940	powershell.exe
4748	powershell.exe
224	powershell.exe
2588	powershell.exe
4564	powershell.exe
3488	powershell.exe
3140	powershell.exe
4948	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2916	tmpBD83.tmp.exe
4872	tmpBD83.tmp.exe
1384	tmpBD83.tmp.exe
4708	tmpBD83.tmp.exe
4004	tmpBD83.tmp.exe
3868	tmpBD83.tmp.exe
2360	tmpBD83.tmp.exe
3204	tmpBD83.tmp.exe
2104	tmpBD83.tmp.exe
4408	tmpBD83.tmp.exe
4716	tmpBD83.tmp.exe
876	tmpBD83.tmp.exe
3824	tmpBD83.tmp.exe
5112	tmpBD83.tmp.exe
4184	tmpBD83.tmp.exe
2948	tmpBD83.tmp.exe
3196	tmpBD83.tmp.exe
3352	tmpBD83.tmp.exe
4840	tmpBD83.tmp.exe
936	tmpBD83.tmp.exe
680	tmpBD83.tmp.exe
2072	tmpBD83.tmp.exe
1880	tmpBD83.tmp.exe
3060	tmpBD83.tmp.exe
2340	tmpBD83.tmp.exe
3480	tmpBD83.tmp.exe
2780	tmpBD83.tmp.exe
2856	tmpBD83.tmp.exe
2164	tmpBD83.tmp.exe
3392	tmpBD83.tmp.exe
2496	tmpBD83.tmp.exe
4660	tmpBD83.tmp.exe
4644	tmpBD83.tmp.exe
5012	tmpBD83.tmp.exe
4988	tmpBD83.tmp.exe
2260	tmpBD83.tmp.exe
4748	tmpBD83.tmp.exe
452	tmpBD83.tmp.exe
3100	tmpBD83.tmp.exe
2060	tmpBD83.tmp.exe
392	tmpBD83.tmp.exe
4872	tmpBD83.tmp.exe
740	tmpBD83.tmp.exe
1148	tmpBD83.tmp.exe
2864	tmpBD83.tmp.exe
3716	tmpBD83.tmp.exe
3652	tmpBD83.tmp.exe
1532	tmpBD83.tmp.exe
3104	tmpBD83.tmp.exe
2928	tmpBD83.tmp.exe
2104	tmpBD83.tmp.exe
3964	tmpBD83.tmp.exe
4128	tmpBD83.tmp.exe
1272	tmpBD83.tmp.exe
1780	tmpBD83.tmp.exe
876	tmpBD83.tmp.exe
4560	tmpBD83.tmp.exe
2516	tmpBD83.tmp.exe
2152	tmpBD83.tmp.exe
4348	tmpBD83.tmp.exe
2620	tmpBD83.tmp.exe
5004	tmpBD83.tmp.exe
2948	tmpBD83.tmp.exe
2148	tmpBD83.tmp.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 4744	4552	tmpFB19.tmp.exe	1171
PID 3688 set thread context of 3336	3688	Process not Found	2280
PID 3332 set thread context of 2380	3332	Process not Found	2715
PID 4932 set thread context of 3360	4932	Process not Found	3197
PID 4588 set thread context of 1812	4588	Process not Found	4241
PID 2040 set thread context of 4340	2040	Process not Found	4463
PID 3332 set thread context of 2636	3332	Process not Found	5076
PID 4712 set thread context of 1960	4712	Process not Found	5513
PID 4244 set thread context of 3972	4244	Process not Found	5425
PID 2640 set thread context of 2184	2640	Process not Found	6215
PID 4796 set thread context of 1360	4796	Process not Found	6567
PID 3192 set thread context of 4268	3192	Process not Found	6982

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXD20E.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Mail\smss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE232.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Mail\smss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Mail\69ddcba757bf72	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Uninstall Information\SppExtComObj.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Uninstall Information\SppExtComObj.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Uninstall Information\e1ef82546f0b02	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\ModifiableWindowsApps\unsecapp.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\56085415360792	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC5B4.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD618.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXE437.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\Registry.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Sun\sppsvc.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\SchCache\Registry.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\uk-UA\SppExtComObj.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Speech\Engines\wininit.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\uk-UA\RCXC3A0.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\RCXE63C.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Sun\RCXE840.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\uk-UA\SppExtComObj.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\uk-UA\e1ef82546f0b02	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Sun\Java\Deployment\winlogon.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Sun\Java\Deployment\cc11b995f2a76d	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\PrintDialog\Assets\RCXD81C.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\PrintDialog\Assets\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\SchCache\RCXDC25.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\winlogon.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\PrintDialog\Assets\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\SchCache\ee2ad38f3d4382	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Sun\sppsvc.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Speech\Engines\56085415360792	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\PrintDialog\Assets\27d1bcfc3c54e0	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Sun\0a1fd5f707cd16	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Speech\Engines\RCXCDE6.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Speech\Engines\wininit.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..licationframe-frame_31bf3856ad364e35_10.0.19041.1_none_73046ed56177b039\RuntimeBroker.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\servicing\sysmon.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD83.tmp.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3244	schtasks.exe
1208	schtasks.exe
4844	schtasks.exe
4812	schtasks.exe
3404	schtasks.exe
2144	schtasks.exe
1812	schtasks.exe
628	schtasks.exe
2272	schtasks.exe
712	schtasks.exe
2588	schtasks.exe
1336	schtasks.exe
2076	schtasks.exe
1016	schtasks.exe
2356	schtasks.exe
4232	schtasks.exe
3020	schtasks.exe
1028	schtasks.exe
5052	schtasks.exe
1588	schtasks.exe
4288	schtasks.exe
4108	schtasks.exe
1984	schtasks.exe
916	schtasks.exe
712	schtasks.exe
1360	schtasks.exe
1584	schtasks.exe
3488	schtasks.exe
3904	schtasks.exe
1676	schtasks.exe
1812	schtasks.exe
2676	schtasks.exe
2260	schtasks.exe
3012	schtasks.exe
2976	schtasks.exe
3776	schtasks.exe
4508	schtasks.exe
4796	schtasks.exe
4660	schtasks.exe
4412	schtasks.exe
760	schtasks.exe
3448	schtasks.exe
3340	schtasks.exe
2296	schtasks.exe
3232	schtasks.exe
3780	schtasks.exe
1336	schtasks.exe
4868	schtasks.exe
3700	schtasks.exe
4908	schtasks.exe
2352	schtasks.exe
1856	schtasks.exe
1876	schtasks.exe
2868	schtasks.exe
4556	schtasks.exe
1148	schtasks.exe
3292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3140	powershell.exe
3140	powershell.exe
4564	powershell.exe
4564	powershell.exe
4940	powershell.exe
4940	powershell.exe
3488	powershell.exe
3488	powershell.exe
4948	powershell.exe
4948	powershell.exe
4572	powershell.exe
4572	powershell.exe
2588	powershell.exe
2588	powershell.exe
4732	powershell.exe
4732	powershell.exe
224	powershell.exe
224	powershell.exe
4564	powershell.exe
1728	powershell.exe
1728	powershell.exe
4748	powershell.exe
4748	powershell.exe
1728	powershell.exe
4940	powershell.exe
3140	powershell.exe
3140	powershell.exe
4732	powershell.exe
224	powershell.exe
2588	powershell.exe
4572	powershell.exe
3488	powershell.exe
4948	powershell.exe
4748	powershell.exe
4760	sysmon.exe
4760	sysmon.exe
4240	Process not Found
3980	Process not Found
1300	Process not Found
2584	Process not Found
392	Process not Found
4420	Process not Found
1808	Process not Found
2248	Process not Found
2248	Process not Found
4856	Process not Found
1960	Process not Found

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4760	sysmon.exe
Token: SeDebugPrivilege	4240	Process not Found
Token: SeDebugPrivilege	3980	Process not Found
Token: SeDebugPrivilege	1300	Process not Found
Token: SeDebugPrivilege	2584	Process not Found
Token: SeDebugPrivilege	392	Process not Found
Token: SeDebugPrivilege	4420	Process not Found
Token: SeDebugPrivilege	1808	Process not Found
Token: SeDebugPrivilege	2248	Process not Found
Token: SeDebugPrivilege	4856	Process not Found
Token: SeDebugPrivilege	1960	Process not Found
Token: SeDebugPrivilege	2368	Process not Found
Token: SeDebugPrivilege	3532	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2916	2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	104
PID 2652 wrote to memory of 2916	2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	104
PID 2652 wrote to memory of 2916	2652	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	104
PID 2916 wrote to memory of 4872	2916	tmpBD83.tmp.exe	184
PID 2916 wrote to memory of 4872	2916	tmpBD83.tmp.exe	184
PID 2916 wrote to memory of 4872	2916	tmpBD83.tmp.exe	184
PID 4872 wrote to memory of 1384	4872	tmpBD83.tmp.exe	115
PID 4872 wrote to memory of 1384	4872	tmpBD83.tmp.exe	115
PID 4872 wrote to memory of 1384	4872	tmpBD83.tmp.exe	115
PID 1384 wrote to memory of 4708	1384	tmpBD83.tmp.exe	116
PID 1384 wrote to memory of 4708	1384	tmpBD83.tmp.exe	116
PID 1384 wrote to memory of 4708	1384	tmpBD83.tmp.exe	116
PID 4708 wrote to memory of 4004	4708	tmpBD83.tmp.exe	117
PID 4708 wrote to memory of 4004	4708	tmpBD83.tmp.exe	117
PID 4708 wrote to memory of 4004	4708	tmpBD83.tmp.exe	117
PID 4004 wrote to memory of 3868	4004	tmpBD83.tmp.exe	118
PID 4004 wrote to memory of 3868	4004	tmpBD83.tmp.exe	118
PID 4004 wrote to memory of 3868	4004	tmpBD83.tmp.exe	118
PID 3868 wrote to memory of 2360	3868	tmpBD83.tmp.exe	120
PID 3868 wrote to memory of 2360	3868	tmpBD83.tmp.exe	120
PID 3868 wrote to memory of 2360	3868	tmpBD83.tmp.exe	120
PID 2360 wrote to memory of 3204	2360	tmpBD83.tmp.exe	122
PID 2360 wrote to memory of 3204	2360	tmpBD83.tmp.exe	122
PID 2360 wrote to memory of 3204	2360	tmpBD83.tmp.exe	122
PID 3204 wrote to memory of 2104	3204	tmpBD83.tmp.exe	193
PID 3204 wrote to memory of 2104	3204	tmpBD83.tmp.exe	193
PID 3204 wrote to memory of 2104	3204	tmpBD83.tmp.exe	193
PID 2104 wrote to memory of 4408	2104	tmpBD83.tmp.exe	125
PID 2104 wrote to memory of 4408	2104	tmpBD83.tmp.exe	125
PID 2104 wrote to memory of 4408	2104	tmpBD83.tmp.exe	125
PID 4408 wrote to memory of 4716	4408	tmpBD83.tmp.exe	127
PID 4408 wrote to memory of 4716	4408	tmpBD83.tmp.exe	127
PID 4408 wrote to memory of 4716	4408	tmpBD83.tmp.exe	127
PID 4716 wrote to memory of 876	4716	tmpBD83.tmp.exe	198
PID 4716 wrote to memory of 876	4716	tmpBD83.tmp.exe	198
PID 4716 wrote to memory of 876	4716	tmpBD83.tmp.exe	198
PID 876 wrote to memory of 3824	876	tmpBD83.tmp.exe	132
PID 876 wrote to memory of 3824	876	tmpBD83.tmp.exe	132
PID 876 wrote to memory of 3824	876	tmpBD83.tmp.exe	132
PID 3824 wrote to memory of 5112	3824	tmpBD83.tmp.exe	133
PID 3824 wrote to memory of 5112	3824	tmpBD83.tmp.exe	133
PID 3824 wrote to memory of 5112	3824	tmpBD83.tmp.exe	133
PID 5112 wrote to memory of 4184	5112	tmpBD83.tmp.exe	134
PID 5112 wrote to memory of 4184	5112	tmpBD83.tmp.exe	134
PID 5112 wrote to memory of 4184	5112	tmpBD83.tmp.exe	134
PID 4184 wrote to memory of 2948	4184	tmpBD83.tmp.exe	205
PID 4184 wrote to memory of 2948	4184	tmpBD83.tmp.exe	205
PID 4184 wrote to memory of 2948	4184	tmpBD83.tmp.exe	205
PID 2948 wrote to memory of 3196	2948	tmpBD83.tmp.exe	139
PID 2948 wrote to memory of 3196	2948	tmpBD83.tmp.exe	139
PID 2948 wrote to memory of 3196	2948	tmpBD83.tmp.exe	139
PID 3196 wrote to memory of 3352	3196	tmpBD83.tmp.exe	141
PID 3196 wrote to memory of 3352	3196	tmpBD83.tmp.exe	141
PID 3196 wrote to memory of 3352	3196	tmpBD83.tmp.exe	141
PID 3352 wrote to memory of 4840	3352	tmpBD83.tmp.exe	143
PID 3352 wrote to memory of 4840	3352	tmpBD83.tmp.exe	143
PID 3352 wrote to memory of 4840	3352	tmpBD83.tmp.exe	143
PID 4840 wrote to memory of 936	4840	tmpBD83.tmp.exe	144
PID 4840 wrote to memory of 936	4840	tmpBD83.tmp.exe	144
PID 4840 wrote to memory of 936	4840	tmpBD83.tmp.exe	144
PID 936 wrote to memory of 680	936	tmpBD83.tmp.exe	213
PID 936 wrote to memory of 680	936	tmpBD83.tmp.exe	213
PID 936 wrote to memory of 680	936	tmpBD83.tmp.exe	213
PID 680 wrote to memory of 2072	680	tmpBD83.tmp.exe	147

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
"C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652
- C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        37⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        39⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        41⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        43⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        45⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        50⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        51⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        52⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        53⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        54⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        55⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        56⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        57⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        58⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        59⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        60⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        61⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        62⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        63⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        64⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        65⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        66⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        67⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        68⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        69⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        70⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        71⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        73⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        74⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        75⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        76⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        77⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        78⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        79⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        80⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        81⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        82⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        83⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        84⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        85⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        86⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        87⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        88⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        89⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        90⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        91⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        92⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        93⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        94⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        95⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        96⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        97⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        98⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        99⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        100⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        101⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        102⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        103⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        104⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        105⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        106⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        107⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        108⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        109⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        110⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        111⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        112⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        113⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        114⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        115⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        116⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        117⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        118⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        119⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        120⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        121⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        122⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        123⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        124⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        125⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        126⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        127⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        128⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        129⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        130⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        131⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        132⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        133⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        134⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        135⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        136⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        137⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        138⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        139⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        140⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        141⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        142⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        143⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        144⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        145⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        146⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        147⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        148⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        149⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        150⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        151⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        152⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        153⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        154⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        155⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        156⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        157⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        158⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        159⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        160⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        161⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        162⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        163⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        164⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        165⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        166⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        167⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        168⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        169⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        170⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        171⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        172⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        173⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        174⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        175⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        176⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        177⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        178⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        179⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        180⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        181⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        182⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        183⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        184⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        185⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        186⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        187⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        188⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        189⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        190⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        191⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        192⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        193⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        194⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        195⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        196⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        197⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        198⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        199⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        200⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        201⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        202⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        203⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        204⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        205⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        206⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        207⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        208⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        209⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        210⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        211⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        212⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        213⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        214⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        215⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        216⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        217⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        218⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        219⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        220⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        221⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        222⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        223⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        224⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        225⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        226⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        227⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        228⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        229⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        230⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        231⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        232⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        233⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        234⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        235⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        236⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        237⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        238⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        239⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        240⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        241⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        242⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        243⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        244⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        245⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        246⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        247⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        248⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        249⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        250⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        251⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        252⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        253⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        254⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        255⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        256⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        257⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        258⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        259⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        260⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        261⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        262⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        263⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        264⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        265⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        266⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        267⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        268⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        269⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        270⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        271⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        272⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        273⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        274⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        275⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        276⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        277⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        278⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        279⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        280⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        281⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        282⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        283⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        284⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        285⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        286⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        287⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        288⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        289⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        290⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        291⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        292⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        293⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        294⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        295⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        296⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        297⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        298⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        299⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        300⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        301⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        302⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        303⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        304⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        305⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        306⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        307⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        308⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        309⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        310⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        311⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        312⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        313⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        314⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        315⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        316⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        317⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        318⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        319⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        320⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        321⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        322⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        323⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        324⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        325⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        326⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        327⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        328⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        329⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        330⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        331⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        332⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        333⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        334⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        335⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        336⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        337⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        338⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        339⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        340⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        341⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        342⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        343⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        344⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        345⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        346⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        347⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        348⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        349⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        350⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        351⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        352⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        353⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        354⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        355⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        356⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        357⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        358⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        359⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        360⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        361⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        362⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        363⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        364⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        365⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        366⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        367⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        368⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        369⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        370⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        371⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        372⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        373⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        374⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        375⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        376⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        377⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        378⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        379⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        380⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        381⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        382⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        383⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        384⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        385⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        386⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        387⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        388⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        389⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        390⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        391⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        392⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        393⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        394⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        395⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        396⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        397⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        398⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        399⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        400⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        401⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        402⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        403⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        404⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        405⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        406⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        407⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        408⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        409⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        410⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        411⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        412⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        413⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        414⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        415⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        416⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        417⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        418⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        419⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        420⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        421⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        422⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        423⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        424⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        425⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        426⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        427⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        428⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        429⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        430⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        431⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        432⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        433⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        434⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        435⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        436⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        437⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        438⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        439⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        440⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        441⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        442⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        443⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        444⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        445⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        446⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        447⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        448⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        449⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        450⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        451⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        452⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        453⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        454⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        455⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        456⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        457⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        458⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        459⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        460⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        461⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        462⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        463⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        464⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        465⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        466⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        467⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        468⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        469⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        470⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        471⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        472⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        473⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        474⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        475⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        476⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        477⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        478⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        479⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        480⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        481⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        482⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        483⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        484⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        485⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        486⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        487⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        488⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        489⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        490⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        491⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        492⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        493⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        494⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        495⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        496⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        497⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        498⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        499⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        500⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        501⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        502⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        503⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        504⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        505⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        506⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        507⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        508⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        509⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        510⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        511⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        512⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        513⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        514⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        515⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        516⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        517⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        518⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        519⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        520⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        521⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        522⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        523⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        524⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        525⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        526⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        527⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        528⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        529⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        530⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        531⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        532⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        533⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        534⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        535⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        536⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        537⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        538⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        539⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        540⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        541⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        542⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        543⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        544⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        545⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        546⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        547⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        548⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        549⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        550⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        551⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        552⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        553⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        554⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        555⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        556⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        557⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        558⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        559⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        560⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        561⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        562⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        563⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        564⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        565⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        566⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        567⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        568⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        569⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        570⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        571⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        572⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        573⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        574⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        575⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        576⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        577⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        578⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        579⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        580⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        581⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        582⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        583⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        584⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        585⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        586⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        587⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        588⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        589⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        590⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        591⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        592⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        593⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        594⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        595⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        596⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        597⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        598⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        599⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        600⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        601⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        602⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        603⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        604⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        605⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        606⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        607⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        608⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        609⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        610⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        611⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        612⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        613⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        614⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        615⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        616⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        617⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        618⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        619⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        620⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        621⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        622⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        623⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        624⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        625⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        626⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        627⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        628⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        629⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        630⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        631⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        632⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        633⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        634⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        635⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        636⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        637⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        638⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        639⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        640⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        641⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        642⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        643⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        644⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        645⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        646⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        647⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        648⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        649⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        650⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        651⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        652⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        653⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        654⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        655⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        656⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        657⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        658⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        659⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        660⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        661⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        662⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        663⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        664⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        665⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        666⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        667⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        668⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        669⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        670⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        671⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        672⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        673⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        674⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        675⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        676⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        677⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        678⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        679⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        680⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        681⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        682⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        683⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        684⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        685⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        686⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        687⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        688⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        689⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        690⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        691⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        692⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        693⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        694⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        695⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        696⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        697⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        698⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        699⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        700⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        701⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        702⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        703⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        704⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        705⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        706⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        707⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        708⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        709⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        710⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        711⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        712⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        713⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        714⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        715⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        716⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        717⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        718⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        719⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        720⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        721⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        722⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        723⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        724⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        725⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        726⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        727⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        728⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        729⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        730⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        731⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        732⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        733⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        734⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        735⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        736⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        737⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        738⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        739⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        740⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        741⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        742⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        743⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        744⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        745⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        746⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        747⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        748⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        749⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        750⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        751⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        752⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        753⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        754⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        755⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        756⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        757⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        758⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        759⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        760⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        761⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        762⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        763⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        764⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        765⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        766⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        767⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        768⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        769⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        770⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        771⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        772⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        773⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        774⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        775⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        776⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        777⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        778⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        779⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        780⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        781⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        782⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        783⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        784⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        785⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        786⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        787⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        788⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        789⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        790⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        791⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        792⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        793⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        794⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        795⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        796⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        797⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        798⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        799⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        800⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        801⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        802⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        803⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        804⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        805⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        806⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        807⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        808⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        809⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        810⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        811⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        812⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        813⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        814⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        815⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        816⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        817⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        818⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        819⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        820⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        821⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        822⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        823⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        824⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        825⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        826⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        827⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        828⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        829⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        830⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        831⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        832⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        833⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        834⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        835⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        836⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        837⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        838⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        839⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        840⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        841⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        842⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        843⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        844⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        845⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        846⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        847⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        848⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        849⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        850⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        851⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        852⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        853⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        854⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        855⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        856⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        857⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        858⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        859⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        860⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        861⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        862⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        863⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        864⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        865⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        866⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        867⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        868⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        869⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        870⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        871⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        872⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        873⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        874⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        875⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        876⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        877⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        878⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        879⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        880⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        881⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        882⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        883⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        884⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        885⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        886⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        887⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        888⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        889⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        890⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        891⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        892⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        893⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        894⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        895⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        896⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        897⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        898⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        899⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        900⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        901⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        902⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        903⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        904⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        905⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        906⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        907⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        908⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        909⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        910⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        911⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        912⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        913⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        914⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        915⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        916⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        917⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        918⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        919⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        920⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        921⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        922⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        923⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        924⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        925⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        926⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        927⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        928⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        929⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        930⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        931⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        932⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        933⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        934⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        935⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        936⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        937⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        938⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        939⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        940⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        941⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        942⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        943⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        944⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        945⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        946⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        947⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        948⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        949⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe"
        950⤵
        
        PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Recovery\WindowsRE\sysmon.exe
  "C:\Recovery\WindowsRE\sysmon.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9ad5626-7542-4e03-a280-68bae0f592fe.vbs"
    3⤵
    PID:2596
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b71f395c-fd63-4b46-97af-0be7992474a0.vbs"
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\tmpFB19.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpFB19.tmp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\tmpFB19.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpFB19.tmp.exe"
      4⤵
      PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\Engines\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\Assets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\PrintDialog\Assets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SchCache\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Sun\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sysmon.exe

Filesize
4.9MB

MD5
87c0d521f3387245929438143a477b30

SHA1
d427908e35f8a94c83750d923b32c91583091981

SHA256
8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

SHA512
f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbre14bk.3zk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef02a527-437e-4ffc-9fe6-b9567c68bc16.vbs

Filesize
484B

MD5
69b116fd5ed9e235522eae54e8cb124e

SHA1
4f7985299066851a13c4ff31d3e215514ddaba5f

SHA256
1b2f2c129763716efb50db20f79f3bb39b33a3baa1d2a72c7d5ac3b7a1727b23

SHA512
791038701fb046d60d2e07cc8530c1720d7b36ef2f22c6be7419db02bceb80acba0e6b2312d5d0eedb311f3ff0312540574f1d3d1c6f23f1f6085db54c9b1985

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\Speech\Engines\RCXCDE6.tmp

Filesize
4.9MB

MD5
4b67ec5e5ff9ee4c8342793cf95ab5bc

SHA1
8b917cee295cf658c742a6c7eb940ebf116c81f1

SHA256
9ed9a544426f4066694a81fdfa280aa3a2d6a44fbcc127ea7b6a9225fc5feba8

SHA512
8b2faea5253e4adf7766bbaff542c0d57a5755ab8a590d86c5d00c7fe504927c0ea3d4b3c9a6f2130a036d15b460905f850424e2be7bea8d89d47626b624ad7e

Download Submit
memory/1300-4600-0x0000000002B50000-0x0000000002B62000-memory.dmp

Filesize
72KB

Download
memory/2652-9-0x000000001C960000-0x000000001C970000-memory.dmp

Filesize
64KB

Download
memory/2652-7-0x00000000037E0000-0x00000000037F0000-memory.dmp

Filesize
64KB

Download
memory/2652-8-0x000000001C940000-0x000000001C956000-memory.dmp

Filesize
88KB

Download
memory/2652-6-0x0000000002130000-0x0000000002138000-memory.dmp

Filesize
32KB

Download
memory/2652-10-0x000000001C970000-0x000000001C97A000-memory.dmp

Filesize
40KB

Download
memory/2652-11-0x000000001C980000-0x000000001C992000-memory.dmp

Filesize
72KB

Download
memory/2652-12-0x000000001CF10000-0x000000001D438000-memory.dmp

Filesize
5.2MB

Download
memory/2652-13-0x000000001C9E0000-0x000000001C9EA000-memory.dmp

Filesize
40KB

Download
memory/2652-14-0x000000001C9F0000-0x000000001C9FE000-memory.dmp

Filesize
56KB

Download
memory/2652-15-0x000000001CA00000-0x000000001CA0E000-memory.dmp

Filesize
56KB

Download
memory/2652-16-0x000000001CA10000-0x000000001CA18000-memory.dmp

Filesize
32KB

Download
memory/2652-18-0x000000001CB30000-0x000000001CB3C000-memory.dmp

Filesize
48KB

Download
memory/2652-17-0x000000001CA20000-0x000000001CA28000-memory.dmp

Filesize
32KB

Download
memory/2652-1-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/2652-5-0x000000001C990000-0x000000001C9E0000-memory.dmp

Filesize
320KB

Download
memory/2652-4-0x0000000003760000-0x000000000377C000-memory.dmp

Filesize
112KB

Download
memory/2652-772-0x00007FFAC6D53000-0x00007FFAC6D55000-memory.dmp

Filesize
8KB

Download
memory/2652-879-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

Filesize
10.8MB

Download
memory/2652-3-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

Filesize
10.8MB

Download
memory/2652-0-0x00007FFAC6D53000-0x00007FFAC6D55000-memory.dmp

Filesize
8KB

Download
memory/2652-1579-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

Filesize
10.8MB

Download
memory/2652-2-0x000000001C1D0000-0x000000001C2FE000-memory.dmp

Filesize
1.2MB

Download
memory/3140-1451-0x000001F54C1A0000-0x000001F54C1C2000-memory.dmp

Filesize
136KB

Download
memory/4744-1916-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4760-1594-0x000000001BC80000-0x000000001BC92000-memory.dmp

Filesize
72KB

Download