colibri | 624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0c

Analysis

max time kernel
108s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Size

4.9MB
MD5

448d47b42345b544c7abe88fa356ed00
SHA1

ae9661c13ece2218c5fccf1ecaab39ecd617a4ca
SHA256

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0c
SHA512

0a3b5da20602bb61d27cc8de94a238d15c27ba9f2f80e170a98c7ee3c5dab06e218a6c516b3aaf2d485b614f7ccd0aeb7bc4120027f7c5dcc7abf46cb2357ac3
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1016	schtasks.exe	86

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/212-2-0x000000001C2C0000-0x000000001C3EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe
3472	powershell.exe
2888	powershell.exe
1656	powershell.exe
2064	powershell.exe
5036	powershell.exe
2044	powershell.exe
3336	powershell.exe
2792	powershell.exe
2436	powershell.exe
2720	powershell.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 64 IoCs

pid	Process
5116	tmpA673.tmp.exe
1832	tmpA673.tmp.exe
4760	lsass.exe
3940	tmpEFA0.tmp.exe
1868	tmpEFA0.tmp.exe
640	tmpEFA0.tmp.exe
3344	lsass.exe
216	tmp216E.tmp.exe
1528	tmp216E.tmp.exe
1776	tmp216E.tmp.exe
4340	lsass.exe
3176	tmp532C.tmp.exe
3336	tmp532C.tmp.exe
3468	tmp532C.tmp.exe
1632	lsass.exe
1516	tmp9601.tmp.exe
4112	tmp9601.tmp.exe
3452	tmp9601.tmp.exe
2296	tmp9601.tmp.exe
3948	tmp9601.tmp.exe
2060	tmp9601.tmp.exe
628	tmp9601.tmp.exe
4520	tmp9601.tmp.exe
4744	tmp9601.tmp.exe
3196	tmp9601.tmp.exe
2756	tmp9601.tmp.exe
5116	tmp9601.tmp.exe
2256	tmp9601.tmp.exe
2956	tmp9601.tmp.exe
4116	tmp9601.tmp.exe
2112	tmp9601.tmp.exe
1476	tmp9601.tmp.exe
4516	tmp9601.tmp.exe
652	tmp9601.tmp.exe
1552	tmp9601.tmp.exe
3716	tmp9601.tmp.exe
1836	tmp9601.tmp.exe
2292	tmp9601.tmp.exe
4904	tmp9601.tmp.exe
1080	tmp9601.tmp.exe
2476	tmp9601.tmp.exe
2196	tmp9601.tmp.exe
640	tmp9601.tmp.exe
768	tmp9601.tmp.exe
5056	tmp9601.tmp.exe
4584	tmp9601.tmp.exe
4348	tmp9601.tmp.exe
4012	tmp9601.tmp.exe
3400	tmp9601.tmp.exe
3728	tmp9601.tmp.exe
1776	tmp9601.tmp.exe
588	tmp9601.tmp.exe
2568	tmp9601.tmp.exe
3748	tmp9601.tmp.exe
688	tmp9601.tmp.exe
4288	tmp9601.tmp.exe
5016	tmp9601.tmp.exe
1544	tmp9601.tmp.exe
2060	tmp9601.tmp.exe
60	tmp9601.tmp.exe
4928	tmp9601.tmp.exe
5060	tmp9601.tmp.exe
4744	tmp9601.tmp.exe
3196	tmp9601.tmp.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 1832	5116	tmpA673.tmp.exe	141
PID 1868 set thread context of 640	1868	tmpEFA0.tmp.exe	179
PID 1528 set thread context of 1776	1528	tmp216E.tmp.exe	190
PID 3336 set thread context of 3468	3336	tmp532C.tmp.exe	197
PID 4356 set thread context of 536	4356	tmpB159.tmp.exe	593
PID 3912 set thread context of 3060	3912	Process not Found	1187
PID 3948 set thread context of 4288	3948	Process not Found	1754
PID 4716 set thread context of 1900	4716	Process not Found	2662

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\lsass.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXC63F.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Microsoft Office\Office16\SppExtComObj.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\6203df4a6bafc7	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\121e5b5079f7c0	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6cb0b6c459d5d3	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Windows Defender\uk-UA\6203df4a6bafc7	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\RCXBC96.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SppExtComObj.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\9e8d7a4ca61bd9	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Microsoft Office\Office16\e1ef82546f0b02	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB166.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXBA92.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCXC3BE.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXC853.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\Windows Defender\uk-UA\lsass.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\fbfd361ff9ce3f	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\RCXB58F.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXAD3E.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\en-US\RCXAF52.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Windows\en-US\TextInputHost.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Windows\en-US\TextInputHost.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Windows\en-US\22eafd247d37c3	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4568	schtasks.exe
3336	schtasks.exe
4228	schtasks.exe
2820	schtasks.exe
1516	schtasks.exe
4876	schtasks.exe
1172	schtasks.exe
1704	schtasks.exe
2928	schtasks.exe
3812	schtasks.exe
3148	schtasks.exe
5112	schtasks.exe
3080	schtasks.exe
2112	schtasks.exe
1412	schtasks.exe
3888	schtasks.exe
3768	schtasks.exe
4008	schtasks.exe
1304	schtasks.exe
4416	schtasks.exe
3472	schtasks.exe
524	schtasks.exe
4640	schtasks.exe
1088	schtasks.exe
4308	schtasks.exe
4520	schtasks.exe
3788	schtasks.exe
1700	schtasks.exe
1096	schtasks.exe
2752	schtasks.exe
4644	schtasks.exe
3016	schtasks.exe
4900	schtasks.exe
848	schtasks.exe
3260	schtasks.exe
3092	schtasks.exe
4988	schtasks.exe
4408	schtasks.exe
2568	schtasks.exe
4604	schtasks.exe
1692	schtasks.exe
868	schtasks.exe
5052	schtasks.exe
1308	schtasks.exe
5036	schtasks.exe
2720	schtasks.exe
3200	schtasks.exe
3060	schtasks.exe
3116	schtasks.exe
1680	schtasks.exe
436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
1656	powershell.exe
1656	powershell.exe
2044	powershell.exe
2044	powershell.exe
2388	powershell.exe
2388	powershell.exe
3472	powershell.exe
3472	powershell.exe
3336	powershell.exe
3336	powershell.exe
2720	powershell.exe
2720	powershell.exe
2888	powershell.exe
2888	powershell.exe
2064	powershell.exe
2064	powershell.exe
5036	powershell.exe
5036	powershell.exe
2044	powershell.exe
2792	powershell.exe
2792	powershell.exe
3336	powershell.exe
2436	powershell.exe
2436	powershell.exe
2888	powershell.exe
5036	powershell.exe
2388	powershell.exe
3472	powershell.exe
1656	powershell.exe
2720	powershell.exe
2792	powershell.exe
2064	powershell.exe
2436	powershell.exe
4760	lsass.exe
3344	lsass.exe
4340	lsass.exe
1632	lsass.exe
1888	lsass.exe
3176	lsass.exe
4080	Process not Found
3308	Process not Found
3308	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	4760	lsass.exe
Token: SeDebugPrivilege	3344	lsass.exe
Token: SeDebugPrivilege	4340	lsass.exe
Token: SeDebugPrivilege	1632	lsass.exe
Token: SeDebugPrivilege	1888	lsass.exe
Token: SeDebugPrivilege	3176	lsass.exe
Token: SeDebugPrivilege	4080	Process not Found
Token: SeDebugPrivilege	3308	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 5116	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	139
PID 212 wrote to memory of 5116	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	139
PID 212 wrote to memory of 5116	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	139
PID 5116 wrote to memory of 1832	5116	tmpA673.tmp.exe	141
PID 5116 wrote to memory of 1832	5116	tmpA673.tmp.exe	141
PID 5116 wrote to memory of 1832	5116	tmpA673.tmp.exe	141
PID 5116 wrote to memory of 1832	5116	tmpA673.tmp.exe	141
PID 5116 wrote to memory of 1832	5116	tmpA673.tmp.exe	141
PID 5116 wrote to memory of 1832	5116	tmpA673.tmp.exe	141
PID 5116 wrote to memory of 1832	5116	tmpA673.tmp.exe	141
PID 212 wrote to memory of 2436	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	148
PID 212 wrote to memory of 2436	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	148
PID 212 wrote to memory of 5036	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	149
PID 212 wrote to memory of 5036	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	149
PID 212 wrote to memory of 2044	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	150
PID 212 wrote to memory of 2044	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	150
PID 212 wrote to memory of 2388	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	151
PID 212 wrote to memory of 2388	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	151
PID 212 wrote to memory of 3472	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	152
PID 212 wrote to memory of 3472	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	152
PID 212 wrote to memory of 2888	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	153
PID 212 wrote to memory of 2888	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	153
PID 212 wrote to memory of 2720	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	154
PID 212 wrote to memory of 2720	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	154
PID 212 wrote to memory of 1656	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	155
PID 212 wrote to memory of 1656	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	155
PID 212 wrote to memory of 3336	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	156
PID 212 wrote to memory of 3336	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	156
PID 212 wrote to memory of 2064	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	157
PID 212 wrote to memory of 2064	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	157
PID 212 wrote to memory of 2792	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	158
PID 212 wrote to memory of 2792	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	158
PID 212 wrote to memory of 4004	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	169
PID 212 wrote to memory of 4004	212	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	169
PID 4004 wrote to memory of 4788	4004	cmd.exe	172
PID 4004 wrote to memory of 4788	4004	cmd.exe	172
PID 4004 wrote to memory of 4760	4004	cmd.exe	173
PID 4004 wrote to memory of 4760	4004	cmd.exe	173
PID 4760 wrote to memory of 2640	4760	lsass.exe	174
PID 4760 wrote to memory of 2640	4760	lsass.exe	174
PID 4760 wrote to memory of 1484	4760	lsass.exe	175
PID 4760 wrote to memory of 1484	4760	lsass.exe	175
PID 4760 wrote to memory of 3940	4760	lsass.exe	176
PID 4760 wrote to memory of 3940	4760	lsass.exe	176
PID 4760 wrote to memory of 3940	4760	lsass.exe	176
PID 3940 wrote to memory of 1868	3940	tmpEFA0.tmp.exe	178
PID 3940 wrote to memory of 1868	3940	tmpEFA0.tmp.exe	178
PID 3940 wrote to memory of 1868	3940	tmpEFA0.tmp.exe	178
PID 1868 wrote to memory of 640	1868	tmpEFA0.tmp.exe	179
PID 1868 wrote to memory of 640	1868	tmpEFA0.tmp.exe	179
PID 1868 wrote to memory of 640	1868	tmpEFA0.tmp.exe	179
PID 1868 wrote to memory of 640	1868	tmpEFA0.tmp.exe	179
PID 1868 wrote to memory of 640	1868	tmpEFA0.tmp.exe	179
PID 1868 wrote to memory of 640	1868	tmpEFA0.tmp.exe	179
PID 1868 wrote to memory of 640	1868	tmpEFA0.tmp.exe	179
PID 2640 wrote to memory of 3344	2640	WScript.exe	183
PID 2640 wrote to memory of 3344	2640	WScript.exe	183
PID 3344 wrote to memory of 4044	3344	lsass.exe	184
PID 3344 wrote to memory of 4044	3344	lsass.exe	184
PID 3344 wrote to memory of 1100	3344	lsass.exe	185
PID 3344 wrote to memory of 1100	3344	lsass.exe	185
PID 3344 wrote to memory of 216	3344	lsass.exe	187
PID 3344 wrote to memory of 216	3344	lsass.exe	187
PID 3344 wrote to memory of 216	3344	lsass.exe	187

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
"C:\Users\Admin\AppData\Local\Temp\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:212
- C:\Users\Admin\AppData\Local\Temp\tmpA673.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA673.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\tmpA673.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA673.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LPipgPzRa7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4788
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4760
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d955f2e-0dd1-4a32-8474-ef85ad723a45.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f761903e-2a5a-4ada-84e1-96cdb27bef28.vbs"
        6⤵
        
        PID:4044
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f9ead3-6ee8-48ce-bd2e-8ade06e35f98.vbs"
        8⤵
        
        PID:1456
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ef7873f-7408-4e26-b1b0-93302645baeb.vbs"
        10⤵
        
        PID:4144
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\717968c3-a412-45f3-8ef2-184f392fd09e.vbs"
        12⤵
        
        PID:208
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ebd76ed-223c-4112-a963-8f3261aba403.vbs"
        14⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5081a7a-bad3-4afc-b936-fd8d1c2b8acb.vbs"
        14⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ba6747c-14f3-4203-a136-3a5496b472f0.vbs"
        12⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmpB159.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB159.tmp.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmpB159.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB159.tmp.exe"
        13⤵
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff63d2c6-1bdb-48df-8226-7527690f05be.vbs"
        10⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        37⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        39⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        41⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        43⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        45⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        50⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        51⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        52⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        53⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        54⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        55⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        56⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        57⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        58⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        59⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        60⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        61⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        62⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        63⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        64⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        65⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        66⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        67⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        68⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        69⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        70⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        71⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        72⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        73⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        74⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        75⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        77⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        78⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        79⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        80⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        81⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        82⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        83⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        84⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        85⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        86⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        87⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        88⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        89⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        90⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        91⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        92⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        93⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        94⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        95⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        96⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        97⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        98⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        99⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        100⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        101⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        102⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        103⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        104⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        105⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        106⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        107⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        108⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        109⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        110⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        111⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        112⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        113⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        114⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        115⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        116⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        117⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        118⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        119⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        120⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        121⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        122⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        123⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        124⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        125⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        126⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        127⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        128⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        129⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        130⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        131⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        132⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        133⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        134⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        135⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        136⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        137⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        138⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        139⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        140⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        141⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        142⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        143⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        144⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        145⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        146⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        147⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        148⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        149⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        150⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        151⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        152⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        153⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        154⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        155⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        156⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        157⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        158⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        159⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        160⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        161⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        162⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        163⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        164⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        165⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        166⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        167⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        168⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        170⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        171⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        172⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        173⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        174⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        175⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        176⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        177⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        178⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        179⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        180⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        181⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        182⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        183⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        184⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        186⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        187⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        188⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        189⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        190⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        191⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        192⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        193⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        194⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        195⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        196⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        197⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        198⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        199⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        200⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        201⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        202⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        203⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        204⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        205⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        206⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        207⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        208⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        209⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        210⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        211⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        212⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        213⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        214⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        215⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        216⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        217⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        218⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        219⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        220⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        221⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        222⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        223⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        224⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        225⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        226⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        227⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        228⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        229⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        230⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        231⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        232⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        233⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        234⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        235⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        236⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        237⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        238⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        239⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        240⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        241⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        242⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        243⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        244⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        245⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        246⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        247⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        249⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        250⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        251⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        252⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        253⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        254⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        255⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        256⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        257⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        258⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        260⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        261⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        262⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        263⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        264⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        265⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        267⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        268⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        269⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        270⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        271⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        272⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        273⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        274⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        275⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        276⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        277⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        278⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        279⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        280⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        281⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        282⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        283⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        284⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        285⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        286⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        287⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        288⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        289⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        290⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        291⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        292⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        293⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        294⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        295⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        296⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        297⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        298⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        299⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        300⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        301⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        302⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        303⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        304⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        305⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        307⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        308⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        309⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        310⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        311⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        312⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        313⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        314⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        315⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        316⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        317⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        318⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        319⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        320⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        321⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        322⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        323⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        324⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        325⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        326⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        327⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        328⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        329⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        330⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        331⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        332⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        333⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        334⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        335⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        336⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        337⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        338⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        339⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        340⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        341⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        342⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        343⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        344⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        345⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        346⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        347⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        348⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        349⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        350⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        351⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        352⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        353⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        354⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        355⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        356⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        357⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        358⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        359⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        360⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        361⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        362⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        363⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        364⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        365⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        366⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        367⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        368⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        369⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        370⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        371⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        372⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        373⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        374⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        375⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        376⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        377⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        378⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        379⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        380⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        381⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        382⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        383⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        384⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        385⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        386⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        387⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        388⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        389⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        390⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        391⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        392⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        393⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        394⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        395⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        396⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        397⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        398⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        399⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        400⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        401⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        402⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        403⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        404⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        405⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        406⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        407⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        408⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        409⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        410⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        411⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        412⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        413⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        414⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        415⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        416⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        417⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        418⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        419⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        420⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        421⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        422⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        423⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        424⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        425⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        426⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        427⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        428⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        429⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        430⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        431⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        432⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        433⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        434⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        435⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        436⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        437⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        438⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        439⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        440⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        441⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        442⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        443⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        444⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        445⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        446⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        447⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        448⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        449⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        450⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        451⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        452⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        453⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        454⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        455⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        456⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        457⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        458⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        459⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        460⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        461⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        462⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        463⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        464⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        465⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        466⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        467⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        468⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        469⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        470⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        471⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        472⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        473⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        474⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        475⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        476⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        477⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        478⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        479⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        480⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        481⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        482⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        483⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        484⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        485⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        486⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        487⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        488⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        489⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        490⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        491⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        492⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        493⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        494⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        495⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        496⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        497⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        498⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        499⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        500⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        501⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        502⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        503⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        504⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        505⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        506⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        507⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        508⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        509⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        510⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        511⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        512⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        513⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        514⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        515⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        516⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        517⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        518⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        519⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        520⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        521⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        522⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        523⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        524⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        525⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        526⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        527⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        528⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        529⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        530⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        531⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        532⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        533⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        534⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        535⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        536⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        537⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        538⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        539⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        540⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        541⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        542⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        543⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        544⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        545⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        546⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        547⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        548⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        549⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        550⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        551⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        552⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        553⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        554⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        555⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        556⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        557⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        558⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        559⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        560⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        561⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        562⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        563⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        564⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        565⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        566⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        567⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        568⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        569⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        570⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        571⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        572⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        573⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        574⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        575⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        576⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        577⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        578⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        579⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        580⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        581⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        582⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        583⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        584⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        585⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        586⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        587⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        588⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        589⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        590⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        591⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        592⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        593⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        594⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        595⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        596⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        597⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        598⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        599⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        600⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        601⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        602⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        603⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        604⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        605⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        606⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        607⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        608⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        609⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        610⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        611⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        612⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        613⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        614⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        615⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        616⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        617⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        618⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        619⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        620⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        621⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        622⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        623⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        624⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        625⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        626⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        627⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        628⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        629⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        630⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        631⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        632⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        633⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        634⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        635⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        636⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        637⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        638⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        639⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        640⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        641⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        642⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        643⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        644⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        645⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        646⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        647⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        648⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        649⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        650⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        651⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        652⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        653⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        654⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        655⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        656⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        657⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        658⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        659⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        660⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        661⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        662⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        663⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        664⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        665⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        666⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        667⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        668⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        669⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        670⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        671⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        672⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        673⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        674⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        675⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        676⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        677⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        678⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        679⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        680⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        681⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        682⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        683⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        684⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        685⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        686⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        687⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        688⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        689⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        690⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        691⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        692⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        693⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        694⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        695⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        696⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        697⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        698⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        699⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        700⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        701⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        702⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        703⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        704⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        705⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        706⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        707⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        708⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        709⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        710⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        711⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        712⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        713⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        714⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        715⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        716⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        717⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        718⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        719⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        720⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        721⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        722⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        723⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        724⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        725⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        726⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        727⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        728⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        729⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        730⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        731⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        732⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        733⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        734⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        735⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        736⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        737⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        738⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        739⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        740⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        741⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        742⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        743⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        744⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        745⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        746⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        747⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        748⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        749⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        750⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        751⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        752⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        753⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        754⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        755⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        756⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        757⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        758⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        759⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        760⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        761⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        762⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        763⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        764⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        765⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        766⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        767⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        768⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        769⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        770⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        771⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        772⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        773⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        774⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        775⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        776⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        777⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        778⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        779⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        780⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        781⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        782⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        783⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        784⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        785⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        786⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        787⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        788⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        789⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        790⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        791⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        792⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        793⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        794⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        795⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        796⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        797⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        798⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        799⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        800⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        801⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        802⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        803⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        804⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        805⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        806⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        807⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        808⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        809⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        810⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        811⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        812⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        813⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        814⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        815⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        816⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        817⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        818⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        819⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        820⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        821⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        822⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        823⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        824⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        825⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        826⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        827⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        828⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        829⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        830⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        831⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        832⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        833⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        834⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        835⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        836⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        837⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        838⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        839⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        840⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        841⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        842⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        843⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        844⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        845⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        846⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        847⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        848⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        849⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        850⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        851⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        852⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        853⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        854⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        855⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        856⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        857⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        858⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        859⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        860⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        861⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        862⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        863⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        864⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        865⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        866⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        867⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        868⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        869⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        870⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        871⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        872⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        873⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        874⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        875⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        876⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        877⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        878⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        879⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        880⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        881⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        882⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        883⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        884⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        885⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        886⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        887⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        888⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        889⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        890⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        891⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        892⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        893⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        894⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        895⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        896⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        897⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        898⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        899⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        900⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        901⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        902⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        903⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        904⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        905⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        906⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        907⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        908⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        909⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        910⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        911⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        912⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        913⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        914⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        915⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        916⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        917⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        918⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        919⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        920⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        921⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        922⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        923⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        924⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        925⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        926⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        927⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        928⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        929⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        930⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        931⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        932⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        933⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        934⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        935⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        936⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        937⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c861a6f9-5250-4c45-8521-f2c97e9976d6.vbs"
        8⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp532C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp532C.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp532C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp532C.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp532C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp532C.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:3468
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9df972-62c1-4cdf-b190-d6cd10e6e6b9.vbs"
        6⤵
        
        PID:1100
      - C:\Users\Admin\AppData\Local\Temp\tmp216E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp216E.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp216E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp216E.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp216E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp216E.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:1776
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6575699e-5b9f-42db-b3b2-c207e968633c.vbs"
      4⤵
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\tmpEFA0.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEFA0.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\tmpEFA0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEFA0.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\tmpEFA0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEFA0.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\USOShared\Logs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN6" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN6" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe

Filesize
4.9MB

MD5
448d47b42345b544c7abe88fa356ed00

SHA1
ae9661c13ece2218c5fccf1ecaab39ecd617a4ca

SHA256
624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0c

SHA512
0a3b5da20602bb61d27cc8de94a238d15c27ba9f2f80e170a98c7ee3c5dab06e218a6c516b3aaf2d485b614f7ccd0aeb7bc4120027f7c5dcc7abf46cb2357ac3

Download Submit
C:\Recovery\WindowsRE\RCXC1A9.tmp

Filesize
4.9MB

MD5
a83cc23f082eb684e7834863df00fa71

SHA1
ddbefc5e17113faea8be1b9addd13a19339ec8c7

SHA256
09282699e4cbb3c9e038069a317387e7d1f7aa57ceeae0f8fdbf52b65b8c64c7

SHA512
6ca3dffc055467e05fdd3383282bb6f7487edcab672dd8579cb5905b60e97fa1a4ebe51cbaa0faaffbd14b54a00eadf50c2961c9952d8ccd217a571663bb9f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ef7873f-7408-4e26-b1b0-93302645baeb.vbs

Filesize
748B

MD5
bd8deee7e1f33b0afd89b4c5a1835f66

SHA1
5f1e235ccf31059f29471d945b8ca1c0e9f6bc7f

SHA256
1a8ab44d037f4df247716c6531bca3b3cc778066a35b316ff3f9f07fa6ef2a57

SHA512
aaf992c892863ee1fb8af5d77de3d3c6a454b65965d24ba93d1361fce20f5ebfb684f0a01c93aa40b7d7577ec8de6562dcf7ef6e888a75e2656dcd9351cf77ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d955f2e-0dd1-4a32-8474-ef85ad723a45.vbs

Filesize
748B

MD5
9c47059b9bc7f4554282f848e0f98be4

SHA1
191f237958483ffc124b7f9d9be9f5e7cee05008

SHA256
6a1631e6567c69d389d4d5a1d616929d9058f4bb008bceaa83e007d3eabeeaa7

SHA512
43f6e0252ff3874454cc240d4f9a6bca184a106d1b73763cb9191ee0bdb0c4755dfe86d36e270f36746589c545693c46b47397649b374a2b656a701a40d2f461

Download Submit
C:\Users\Admin\AppData\Local\Temp\6575699e-5b9f-42db-b3b2-c207e968633c.vbs

Filesize
524B

MD5
211164decea0ce0469b4bf14f94af0cd

SHA1
234f25c910f0a664d3a46bda4ee11feda1ddff0d

SHA256
e00fac86c7ee6d8e18755f422642fa07cfd203fa179dd73a6b199baec1152775

SHA512
a7b4a35e5d6b5f3d54e4d31df51eb4010c7398cf2575d57f54c7de3089a5552d348483abb894649cc7ab51b4b4fd365c2927b698fbcea8495f497eefd85a4945

Download Submit
C:\Users\Admin\AppData\Local\Temp\91f9ead3-6ee8-48ce-bd2e-8ade06e35f98.vbs

Filesize
748B

MD5
f2ad0470a15296f4e0ef335e00c81c48

SHA1
4210284057fac134c217ece52987040f4f74850e

SHA256
c841046fd3ea72853c5b53995f93218ca02eda7be93b83c16f09c250b645526d

SHA512
14686c554f6905c7c65804555a0cc4c40bb86aba2fdde7abf9932c61463e1717eb0a34649cf151c199f0c4dd175d7ea426274c5566c110785d6369461ffa3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\LPipgPzRa7.bat

Filesize
237B

MD5
6fb5794256fb45ce690e9f92acabaf35

SHA1
d341df65d3458974e46680b080d7ffe8aa9a1eee

SHA256
18f896e16e8e207a6a98ccc85e77786beb1e55ee9b4f282cba9faa43292faf3a

SHA512
afdbab6dbb3e7102aef507e0d32943e8bfcbfe1d96bb3525cd523a7a7e8700879f49e0bc3a66b4a1cbf6c3adc026504e049855c72bffa2658df542221c475525

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubydadac.jtq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761903e-2a5a-4ada-84e1-96cdb27bef28.vbs

Filesize
748B

MD5
dee95b71ad19539538ac9bb1785fdb1c

SHA1
26d2f642ffe3a3a9ff5bec6ce63f9fa2a2149a06

SHA256
652291d265a244db8a1784deb1f80bf7b55f38c3cbe4d31640c18c64e2a879c9

SHA512
3af584dc35358d50ba52947680b1bffa48a9c34318584e28ef056b05313a5189e7be55502fd08da2eddf0c06064e430a2dbc1b24d8de376bfb2ff1e9aaa472ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA673.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/212-14-0x000000001C3F0000-0x000000001C3FE000-memory.dmp

Filesize
56KB

Download
memory/212-5-0x000000001CA40000-0x000000001CA90000-memory.dmp

Filesize
320KB

Download
memory/212-17-0x000000001C420000-0x000000001C428000-memory.dmp

Filesize
32KB

Download
memory/212-16-0x000000001C410000-0x000000001C418000-memory.dmp

Filesize
32KB

Download
memory/212-1-0x0000000000FF0000-0x00000000014E4000-memory.dmp

Filesize
5.0MB

Download
memory/212-148-0x00007FFEB3CD3000-0x00007FFEB3CD5000-memory.dmp

Filesize
8KB

Download
memory/212-13-0x00000000037D0000-0x00000000037DA000-memory.dmp

Filesize
40KB

Download
memory/212-162-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/212-189-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/212-2-0x000000001C2C0000-0x000000001C3EE000-memory.dmp

Filesize
1.2MB

Download
memory/212-0-0x00007FFEB3CD3000-0x00007FFEB3CD5000-memory.dmp

Filesize
8KB

Download
memory/212-15-0x000000001C400000-0x000000001C40E000-memory.dmp

Filesize
56KB

Download
memory/212-3-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/212-12-0x000000001CFC0000-0x000000001D4E8000-memory.dmp

Filesize
5.2MB

Download
memory/212-11-0x00000000037C0000-0x00000000037D2000-memory.dmp

Filesize
72KB

Download
memory/212-4-0x0000000003740000-0x000000000375C000-memory.dmp

Filesize
112KB

Download
memory/212-9-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/212-10-0x00000000037B0000-0x00000000037BA000-memory.dmp

Filesize
40KB

Download
memory/212-8-0x0000000003780000-0x0000000003796000-memory.dmp

Filesize
88KB

Download
memory/212-18-0x000000001CB90000-0x000000001CB9C000-memory.dmp

Filesize
48KB

Download
memory/212-7-0x0000000003770000-0x0000000003780000-memory.dmp

Filesize
64KB

Download
memory/212-6-0x0000000003760000-0x0000000003768000-memory.dmp

Filesize
32KB

Download
memory/1632-408-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/1656-306-0x000001F6B4BB0000-0x000001F6B4CFE000-memory.dmp

Filesize
1.3MB

Download
memory/1832-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2044-293-0x0000012E555F0000-0x0000012E5573E000-memory.dmp

Filesize
1.3MB

Download
memory/2044-197-0x0000012E55400000-0x0000012E55422000-memory.dmp

Filesize
136KB

Download
memory/2064-318-0x0000012D59DE0000-0x0000012D59F2E000-memory.dmp

Filesize
1.3MB

Download
memory/2388-309-0x000001CF4E6A0000-0x000001CF4E7EE000-memory.dmp

Filesize
1.3MB

Download
memory/2436-324-0x0000024529FE0000-0x000002452A12E000-memory.dmp

Filesize
1.3MB

Download
memory/2720-314-0x0000017F5B270000-0x0000017F5B3BE000-memory.dmp

Filesize
1.3MB

Download
memory/2792-315-0x000001B224CB0000-0x000001B224DFE000-memory.dmp

Filesize
1.3MB

Download
memory/2888-299-0x0000027556440000-0x000002755658E000-memory.dmp

Filesize
1.3MB

Download
memory/3308-4968-0x000000001CDF0000-0x000000001CE02000-memory.dmp

Filesize
72KB

Download
memory/3336-300-0x0000024D72E20000-0x0000024D72F6E000-memory.dmp

Filesize
1.3MB

Download
memory/3344-355-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/3472-321-0x000002F39C5B0000-0x000002F39C6FE000-memory.dmp

Filesize
1.3MB

Download
memory/4080-4181-0x000000001D700000-0x000000001D802000-memory.dmp

Filesize
1.0MB

Download
memory/5036-305-0x00000277FC640000-0x00000277FC78E000-memory.dmp

Filesize
1.3MB

Download