colibri | 7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Size

4.9MB
MD5

ae0ba9569cf7c10b38e333294ecd7e70
SHA1

ea845af8e5d2a2faee5881f904e79f6316e461dd
SHA256

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05
SHA512

b9959a49727c1867aeb71d71c9b26cbf0094bb6a310dec981f110d09d9b2aa3d33b9800ae6736cd66c51720ae76d0b6b5887e138377429f6aea6c142b247bd2d
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	5000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	5000	schtasks.exe	86

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/748-3-0x000000001BFF0000-0x000000001C11E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5104	powershell.exe
2820	powershell.exe
4016	powershell.exe
1988	powershell.exe
3456	powershell.exe
3956	powershell.exe
3360	powershell.exe
2228	powershell.exe
3056	powershell.exe
2620	powershell.exe
4740	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 64 IoCs

pid	Process
3348	tmp9240.tmp.exe
1668	tmp9240.tmp.exe
4524	backgroundTaskHost.exe
748	tmpCB7E.tmp.exe
4344	tmpCB7E.tmp.exe
1988	tmpCB7E.tmp.exe
1064	backgroundTaskHost.exe
1192	tmpE7FE.tmp.exe
1724	tmpE7FE.tmp.exe
2432	backgroundTaskHost.exe
3928	tmp337.tmp.exe
4060	tmp337.tmp.exe
2964	tmp337.tmp.exe
4704	backgroundTaskHost.exe
3644	tmp337F.tmp.exe
3672	tmp337F.tmp.exe
5048	backgroundTaskHost.exe
2964	tmp6378.tmp.exe
2304	tmp6378.tmp.exe
3176	backgroundTaskHost.exe
4316	backgroundTaskHost.exe
1068	tmpB021.tmp.exe
3656	tmpB021.tmp.exe
3420	backgroundTaskHost.exe
1864	tmpE059.tmp.exe
4200	tmpE059.tmp.exe
3176	backgroundTaskHost.exe
4060	tmpFBA1.tmp.exe
384	tmpFBA1.tmp.exe
2192	tmpFBA1.tmp.exe
5064	backgroundTaskHost.exe
1932	tmp164D.tmp.exe
2432	tmp164D.tmp.exe
3332	backgroundTaskHost.exe
496	tmp3176.tmp.exe
880	tmp3176.tmp.exe
2868	backgroundTaskHost.exe
4692	tmp60A4.tmp.exe
1608	tmp60A4.tmp.exe
3616	backgroundTaskHost.exe
2992	tmp90DC.tmp.exe
2032	tmp90DC.tmp.exe
1608	backgroundTaskHost.exe
1616	tmpACB1.tmp.exe
3644	tmpACB1.tmp.exe
1380	tmpACB1.tmp.exe
532	tmpACB1.tmp.exe
1872	tmpACB1.tmp.exe
4712	tmpACB1.tmp.exe
1328	tmpACB1.tmp.exe
5084	tmpACB1.tmp.exe
3980	tmpACB1.tmp.exe
2680	tmpACB1.tmp.exe
1576	tmpACB1.tmp.exe
2436	tmpACB1.tmp.exe
2752	tmpACB1.tmp.exe
1120	tmpACB1.tmp.exe
1356	tmpACB1.tmp.exe
4964	tmpACB1.tmp.exe
2392	tmpACB1.tmp.exe
4816	tmpACB1.tmp.exe
3908	tmpACB1.tmp.exe
4376	tmpACB1.tmp.exe
3708	tmpACB1.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 3348 set thread context of 1668	3348	tmp9240.tmp.exe	126
PID 4344 set thread context of 1988	4344	tmpCB7E.tmp.exe	173
PID 1192 set thread context of 1724	1192	tmpE7FE.tmp.exe	183
PID 4060 set thread context of 2964	4060	tmp337.tmp.exe	195
PID 3644 set thread context of 3672	3644	tmp337F.tmp.exe	207
PID 2964 set thread context of 2304	2964	tmp6378.tmp.exe	216
PID 1068 set thread context of 3656	1068	tmpB021.tmp.exe	235
PID 1864 set thread context of 4200	1864	tmpE059.tmp.exe	245
PID 384 set thread context of 2192	384	tmpFBA1.tmp.exe	254
PID 1932 set thread context of 2432	1932	tmp164D.tmp.exe	270
PID 496 set thread context of 880	496	tmp3176.tmp.exe	280
PID 4692 set thread context of 1608	4692	tmp60A4.tmp.exe	289
PID 2992 set thread context of 2032	2992	tmp90DC.tmp.exe	298

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCX9DCE.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Crashpad\reports\explorer.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\Common Files\eddb19405b7ce1	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\6cb0b6c459d5d3	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\csrss.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Common Files\5940a34987c991	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\886983d96e3d3e	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\RCX906B.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\Common Files\backgroundTaskHost.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\Registry.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX9521.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\Registry.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\66fc9ff0ee96c2	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Common Files\dllhost.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8E66.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX92FD.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Crashpad\reports\explorer.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Crashpad\reports\7a0fd90576e088	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Common Files\dllhost.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXA1F7.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\csrss.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ee2ad38f3d4382	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Common Files\RCX9949.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXA610.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files (x86)\Common Files\backgroundTaskHost.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\es-ES\upfc.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Windows\apppatch\es-ES\upfc.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Windows\apppatch\es-ES\ea1d8f6d871115	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Windows\apppatch\es-ES\RCX9FE3.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp60A4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9240.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE059.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6378.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACB1.tmp.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4804	schtasks.exe
4064	schtasks.exe
1076	schtasks.exe
2608	schtasks.exe
1604	schtasks.exe
1608	schtasks.exe
2116	schtasks.exe
2376	schtasks.exe
500	schtasks.exe
2132	schtasks.exe
4988	schtasks.exe
3224	schtasks.exe
372	schtasks.exe
2892	schtasks.exe
1388	schtasks.exe
4660	schtasks.exe
4704	schtasks.exe
3804	schtasks.exe
3984	schtasks.exe
3260	schtasks.exe
3828	schtasks.exe
3236	schtasks.exe
4816	schtasks.exe
3392	schtasks.exe
1772	schtasks.exe
4848	schtasks.exe
2992	schtasks.exe
3656	schtasks.exe
4968	schtasks.exe
4716	schtasks.exe
408	schtasks.exe
3624	schtasks.exe
5052	schtasks.exe
5064	schtasks.exe
3116	schtasks.exe
3292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
2620	powershell.exe
2620	powershell.exe
3456	powershell.exe
3456	powershell.exe
4016	powershell.exe
4016	powershell.exe
3360	powershell.exe
3360	powershell.exe
2820	powershell.exe
2820	powershell.exe
1988	powershell.exe
1988	powershell.exe
3956	powershell.exe
3956	powershell.exe
3056	powershell.exe
3056	powershell.exe
2228	powershell.exe
2228	powershell.exe
3056	powershell.exe
5104	powershell.exe
5104	powershell.exe
4740	powershell.exe
4740	powershell.exe
2620	powershell.exe
3456	powershell.exe
3360	powershell.exe
2820	powershell.exe
1988	powershell.exe
4016	powershell.exe
5104	powershell.exe
3956	powershell.exe
2228	powershell.exe
4740	powershell.exe
4524	backgroundTaskHost.exe
1064	backgroundTaskHost.exe
2432	backgroundTaskHost.exe
4704	backgroundTaskHost.exe
5048	backgroundTaskHost.exe
3176	backgroundTaskHost.exe
4316	backgroundTaskHost.exe
3420	backgroundTaskHost.exe
3176	backgroundTaskHost.exe
5064	backgroundTaskHost.exe
5064	backgroundTaskHost.exe
3332	backgroundTaskHost.exe
3332	backgroundTaskHost.exe
2868	backgroundTaskHost.exe
2868	backgroundTaskHost.exe
3616	backgroundTaskHost.exe
3616	backgroundTaskHost.exe
1608	backgroundTaskHost.exe
1608	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4524	backgroundTaskHost.exe
Token: SeDebugPrivilege	1064	backgroundTaskHost.exe
Token: SeDebugPrivilege	2432	backgroundTaskHost.exe
Token: SeDebugPrivilege	4704	backgroundTaskHost.exe
Token: SeDebugPrivilege	5048	backgroundTaskHost.exe
Token: SeDebugPrivilege	3176	backgroundTaskHost.exe
Token: SeDebugPrivilege	4316	backgroundTaskHost.exe
Token: SeDebugPrivilege	3420	backgroundTaskHost.exe
Token: SeDebugPrivilege	3176	backgroundTaskHost.exe
Token: SeDebugPrivilege	5064	backgroundTaskHost.exe
Token: SeDebugPrivilege	3332	backgroundTaskHost.exe
Token: SeDebugPrivilege	2868	backgroundTaskHost.exe
Token: SeDebugPrivilege	3616	backgroundTaskHost.exe
Token: SeDebugPrivilege	1608	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3348	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	124
PID 748 wrote to memory of 3348	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	124
PID 748 wrote to memory of 3348	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	124
PID 3348 wrote to memory of 1668	3348	tmp9240.tmp.exe	126
PID 3348 wrote to memory of 1668	3348	tmp9240.tmp.exe	126
PID 3348 wrote to memory of 1668	3348	tmp9240.tmp.exe	126
PID 3348 wrote to memory of 1668	3348	tmp9240.tmp.exe	126
PID 3348 wrote to memory of 1668	3348	tmp9240.tmp.exe	126
PID 3348 wrote to memory of 1668	3348	tmp9240.tmp.exe	126
PID 3348 wrote to memory of 1668	3348	tmp9240.tmp.exe	126
PID 748 wrote to memory of 4740	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	136
PID 748 wrote to memory of 4740	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	136
PID 748 wrote to memory of 5104	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	137
PID 748 wrote to memory of 5104	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	137
PID 748 wrote to memory of 3360	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	138
PID 748 wrote to memory of 3360	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	138
PID 748 wrote to memory of 2228	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	139
PID 748 wrote to memory of 2228	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	139
PID 748 wrote to memory of 2820	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	140
PID 748 wrote to memory of 2820	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	140
PID 748 wrote to memory of 3056	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	141
PID 748 wrote to memory of 3056	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	141
PID 748 wrote to memory of 4016	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	142
PID 748 wrote to memory of 4016	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	142
PID 748 wrote to memory of 1988	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	143
PID 748 wrote to memory of 1988	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	143
PID 748 wrote to memory of 2620	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	144
PID 748 wrote to memory of 2620	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	144
PID 748 wrote to memory of 3456	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	145
PID 748 wrote to memory of 3456	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	145
PID 748 wrote to memory of 3956	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	146
PID 748 wrote to memory of 3956	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	146
PID 748 wrote to memory of 2100	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	157
PID 748 wrote to memory of 2100	748	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	157
PID 2100 wrote to memory of 4204	2100	cmd.exe	160
PID 2100 wrote to memory of 4204	2100	cmd.exe	160
PID 2100 wrote to memory of 4524	2100	cmd.exe	166
PID 2100 wrote to memory of 4524	2100	cmd.exe	166
PID 4524 wrote to memory of 2656	4524	backgroundTaskHost.exe	168
PID 4524 wrote to memory of 2656	4524	backgroundTaskHost.exe	168
PID 4524 wrote to memory of 2200	4524	backgroundTaskHost.exe	169
PID 4524 wrote to memory of 2200	4524	backgroundTaskHost.exe	169
PID 4524 wrote to memory of 748	4524	backgroundTaskHost.exe	170
PID 4524 wrote to memory of 748	4524	backgroundTaskHost.exe	170
PID 4524 wrote to memory of 748	4524	backgroundTaskHost.exe	170
PID 748 wrote to memory of 4344	748	tmpCB7E.tmp.exe	172
PID 748 wrote to memory of 4344	748	tmpCB7E.tmp.exe	172
PID 748 wrote to memory of 4344	748	tmpCB7E.tmp.exe	172
PID 4344 wrote to memory of 1988	4344	tmpCB7E.tmp.exe	173
PID 4344 wrote to memory of 1988	4344	tmpCB7E.tmp.exe	173
PID 4344 wrote to memory of 1988	4344	tmpCB7E.tmp.exe	173
PID 4344 wrote to memory of 1988	4344	tmpCB7E.tmp.exe	173
PID 4344 wrote to memory of 1988	4344	tmpCB7E.tmp.exe	173
PID 4344 wrote to memory of 1988	4344	tmpCB7E.tmp.exe	173
PID 4344 wrote to memory of 1988	4344	tmpCB7E.tmp.exe	173
PID 2656 wrote to memory of 1064	2656	WScript.exe	176
PID 2656 wrote to memory of 1064	2656	WScript.exe	176
PID 1064 wrote to memory of 3956	1064	backgroundTaskHost.exe	178
PID 1064 wrote to memory of 3956	1064	backgroundTaskHost.exe	178
PID 1064 wrote to memory of 3220	1064	backgroundTaskHost.exe	179
PID 1064 wrote to memory of 3220	1064	backgroundTaskHost.exe	179
PID 1064 wrote to memory of 1192	1064	backgroundTaskHost.exe	181
PID 1064 wrote to memory of 1192	1064	backgroundTaskHost.exe	181
PID 1064 wrote to memory of 1192	1064	backgroundTaskHost.exe	181

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
"C:\Users\Admin\AppData\Local\Temp\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:748
- C:\Users\Admin\AppData\Local\Temp\tmp9240.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9240.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\tmp9240.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9240.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HQV0F3TOk1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4204
- - C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
    "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4524
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4d28a1d-4000-4d48-b08e-b91a7cf416ca.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50cd445d-8818-4e02-a994-d49f464a490c.vbs"
        6⤵
        
        PID:3956
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49ebacc8-414a-4f4d-b3a0-941c23d2c03d.vbs"
        8⤵
        
        PID:4316
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a94939c8-5e5e-4597-a8ed-e46ad8492030.vbs"
        10⤵
        
        PID:4204
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee7c0f4-6394-4800-85df-8b33e257bcd0.vbs"
        12⤵
        
        PID:876
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a58d8165-fc16-4ba4-968d-07e230c9b474.vbs"
        14⤵
        
        PID:3280
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8e20a9c-8864-4add-957b-c3dafaa28a5d.vbs"
        16⤵
        
        PID:2480
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b9b4f25-e159-4bbe-9017-9505097cffba.vbs"
        18⤵
        
        PID:1848
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b378af0-4ffa-4afc-9344-d7f19bcd8c1a.vbs"
        20⤵
        
        PID:3568
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b8a94b-52bd-4d50-ab82-6eed6d27bd41.vbs"
        22⤵
        
        PID:5088
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\173fd4be-0c84-4945-bc2c-f55cceeb9be3.vbs"
        24⤵
        
        PID:976
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\245396d6-9a3a-4164-8ad7-3272ce4220b9.vbs"
        26⤵
        
        PID:3260
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\968145c7-067d-49e0-a305-debee36dc52c.vbs"
        28⤵
        
        PID:1748
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0163ccc-b1e5-4c70-9be8-68638c6892de.vbs"
        30⤵
        
        PID:4924
        
        C:\Program Files (x86)\Common Files\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\backgroundTaskHost.exe"
        31⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39cbbf4f-98bd-4183-9ad6-ebd884993eb0.vbs"
        30⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        37⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        39⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        41⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        50⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        51⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        52⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        53⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        54⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        55⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        56⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        57⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        58⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        59⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        60⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        61⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        62⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        63⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        64⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        65⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        66⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        67⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        69⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        70⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        71⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        72⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        73⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        74⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        75⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        77⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        78⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        81⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        82⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        83⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        84⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        85⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        87⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        89⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        90⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        91⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        92⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        93⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        94⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        95⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        96⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        97⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        98⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        99⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        101⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        103⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        104⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        106⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        107⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        108⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        110⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        112⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        113⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        114⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        115⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        116⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        117⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        118⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        119⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        120⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        121⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        122⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        123⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        124⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        125⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        126⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        127⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        128⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        130⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        131⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        132⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        133⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        134⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        135⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        137⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        138⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        140⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        141⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        142⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        143⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        144⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        145⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        146⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        148⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        149⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        150⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        151⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        152⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        153⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        154⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        155⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        157⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        158⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        159⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        160⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        162⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        163⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        164⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        167⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        168⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        169⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        170⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        171⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        172⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        173⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        175⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        176⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        177⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        178⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        179⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        180⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        181⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        182⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        183⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        184⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        185⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        186⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        187⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        188⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        189⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        191⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        192⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        193⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        194⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        196⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        197⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        198⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        200⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        201⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        203⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        204⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        205⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        206⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        207⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        208⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        210⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        211⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        212⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        213⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        214⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        215⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        216⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        217⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        218⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        219⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        220⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        222⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        225⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        226⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        227⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        228⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        230⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        231⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        232⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        233⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        234⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        235⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        236⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        237⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        238⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        239⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        240⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        242⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        243⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        244⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        245⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        246⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        248⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        250⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        251⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        252⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        253⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        254⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        255⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        256⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        257⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        258⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        259⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        260⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        261⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        263⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        264⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        265⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        266⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        267⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        268⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        269⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        270⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        271⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        272⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        273⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        275⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        277⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        278⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        279⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        280⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        282⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        283⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        284⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        285⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        286⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        287⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        289⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        291⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        292⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        293⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        295⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        296⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        297⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        298⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        299⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        300⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        301⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        302⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        303⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        305⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        306⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        307⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        308⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        309⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        310⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        311⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        312⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        313⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        314⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        315⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        316⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        317⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        318⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        319⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        320⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        321⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        322⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        323⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        324⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        325⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        326⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        327⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        328⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        329⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        330⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        331⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        332⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        334⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        335⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        336⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        337⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        338⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        339⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        340⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        341⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        342⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        343⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        344⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        345⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        346⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        347⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        348⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        349⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        350⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        351⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        352⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        353⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        354⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        355⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        356⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        357⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        358⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        359⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        360⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        361⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        362⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        363⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        364⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        365⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        366⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        367⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        368⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        369⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        370⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        371⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        372⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        373⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        374⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        375⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        376⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        377⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        378⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        379⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        380⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        381⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        382⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        383⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        384⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        385⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        386⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        387⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        388⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        389⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        390⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        391⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        392⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        393⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        394⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        395⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        396⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        397⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        398⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        399⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        400⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        401⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        402⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        403⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        404⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        405⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        406⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        407⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        408⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        409⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        410⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        411⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        412⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        413⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        414⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        415⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        416⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        417⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        418⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        419⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        420⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        422⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        423⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        424⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        425⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        426⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        427⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        428⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        429⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        430⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        431⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        432⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        433⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        434⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        435⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        436⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        437⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        438⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        439⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        440⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        441⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        442⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        443⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        444⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        445⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        446⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        447⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        448⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        449⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        450⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        451⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        452⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        453⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        454⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        455⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        456⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        457⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        458⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        459⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        460⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        461⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        462⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        463⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        464⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        465⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        466⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        467⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        468⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        469⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        470⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        471⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        472⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        473⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        474⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        475⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        476⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        477⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        478⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        479⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        480⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        481⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        482⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        483⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        484⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        485⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        486⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        487⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        488⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        489⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        490⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        491⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        492⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        493⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp.exe"
        494⤵
        
        PID:4412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b46e7293-e2ff-466c-86f0-58d105d85826.vbs"
        28⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp90DC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp90DC.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp90DC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp90DC.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\879fafb0-c46a-4955-8262-addc0b7c475c.vbs"
        26⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp60A4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp60A4.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp60A4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp60A4.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7eaec44-9d69-4328-b573-e311b85b6738.vbs"
        24⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp3176.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3176.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\tmp3176.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3176.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c00f6ca2-a558-4ba5-8e19-a4c48840831a.vbs"
        22⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp164D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp164D.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp164D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp164D.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cfe4951-1f28-4b11-afdc-ef20987cb857.vbs"
        20⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmpFBA1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFBA1.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmpFBA1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFBA1.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmpFBA1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFBA1.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b1f8771-0ba5-43c4-a873-ad33109daa2f.vbs"
        18⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmpE059.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE059.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmpE059.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE059.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57c042a7-b709-41ec-ae8b-e582c83f0fae.vbs"
        16⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmpB021.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB021.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmpB021.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB021.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cef1f2bf-aa73-416e-9670-2997afa9fd3f.vbs"
        14⤵
        
        PID:4796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e29f8b9-d197-44ab-8edd-2c8ae0dce959.vbs"
        12⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp6378.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6378.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmp6378.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6378.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e07e815-a0de-4f0b-869e-10056a007916.vbs"
        10⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp337F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp337F.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp337F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp337F.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d372848e-88c0-48ae-9071-b9071097726c.vbs"
        8⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:2964
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4625619d-e5d9-4860-b454-2eac341e7a4a.vbs"
        6⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Local\Temp\tmpE7FE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE7FE.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmpE7FE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE7FE.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1724
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0e83757-23d3-4d14-af4e-af2f828b984f.vbs"
      4⤵
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\tmpCB7E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCB7E.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Users\Admin\AppData\Local\Temp\tmpCB7E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB7E.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\tmpCB7E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB7E.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\uk-UA\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\es-ES\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\apppatch\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\apppatch\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sysmon.exe

Filesize
4.9MB

MD5
ae0ba9569cf7c10b38e333294ecd7e70

SHA1
ea845af8e5d2a2faee5881f904e79f6316e461dd

SHA256
7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05

SHA512
b9959a49727c1867aeb71d71c9b26cbf0094bb6a310dec981f110d09d9b2aa3d33b9800ae6736cd66c51720ae76d0b6b5887e138377429f6aea6c142b247bd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\49ebacc8-414a-4f4d-b3a0-941c23d2c03d.vbs

Filesize
734B

MD5
73574a45a58e408b58910ed15b1c380f

SHA1
005b40a6ea61319baf2e076f440e550edc53f4bf

SHA256
60f4334a226d71e6bccff50b92bd7a0df10928fba6338578a850ef5fa7708aa9

SHA512
09d7b8e3bcce677f5e2996a86edf63159d81941c6de270fdc6664ef56ff6916265879c311db6b324a2f5326d24d6291564f11f8b99c8a46ab04142b6e987c471

Download Submit
C:\Users\Admin\AppData\Local\Temp\50cd445d-8818-4e02-a994-d49f464a490c.vbs

Filesize
734B

MD5
3d107a7daf1c3d6841660181a8b32db5

SHA1
8b1c6f0cefea1bfe6267f332ce38c5c386a3d1d7

SHA256
f857e90991a43ea3bdc33996bbb722e7243b4638be37fef56cc50c115e7b9ffd

SHA512
519c19c1b4261b61a92b78f0edc5b84bb597acce1c96aaae89135340f5a01d423508703af62f0cfe46181363bc216c90849103ef34d876b55c57387261622df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQV0F3TOk1.bat

Filesize
223B

MD5
88c9db68fd476e30cff5c04ebc47d5a5

SHA1
c2540dd66dfad39006c100723c7a71bc44628dde

SHA256
be56d9f4529137d506b611b5e48f25fe1f0e7321e6e54ec13988402334a2ba6d

SHA512
51b639f80263a8be549e0415c9c905f671db6930f6646bd0d8d4ce2d2b5bb2f270809be3779670096783495087be1ab9100c9012747f329ba76914f9f3f2d065

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4xdjzn4.cyf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0e83757-23d3-4d14-af4e-af2f828b984f.vbs

Filesize
510B

MD5
651d484208e1daa8a99d9c1061bac724

SHA1
5b4d94df54ca0c80db3d00c8bb587bc0437c8e0b

SHA256
c82e77c8f54a22a50e00ff6066be892125b5080004c3c6fd3d4458c8b76ba70a

SHA512
39a84f92ec0f2668781d370f0df3b2d20d577e8f4a8cf0fcad653316e44f2139c2c1070d14847c7d4fc610c24c7df8b18f40dc9e57c5f984460f823360baa3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a58d8165-fc16-4ba4-968d-07e230c9b474.vbs

Filesize
734B

MD5
c451659d045ccb155ba46b5043560724

SHA1
2b3a4f6a1e70f6fc80a4081109982f1ba10780c7

SHA256
fe68ae32e1f94bb96ac3329c97c90be3d70d6afe44e364628d6fd830c4402003

SHA512
708d9f5b58afa0457a0d1e788484e4d45389c3f41785fc003633be529794165aeb9036b63739c79db06a99c9a4ee5239a2c26310db107c87ba785aa92a0c32c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a94939c8-5e5e-4597-a8ed-e46ad8492030.vbs

Filesize
734B

MD5
a5988fd97755592043def42501b3a0b4

SHA1
23fbcf931ae56b9ffd997f9bd6964b9ba3b1c600

SHA256
d7cf194d82eecda16194223a53b3625317ab505fc804a52c8ce9b13b3f5de85b

SHA512
984232ebddcfc6e617b7490a4a108f6d061bdc9ae85662ee8ba2ab6255bf2a742bd4a161b0d794df4c0b1ff9118c822f6d58d15de45e2b9d6cd57b974903a548

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8e20a9c-8864-4add-957b-c3dafaa28a5d.vbs

Filesize
734B

MD5
940a03ece057da95254b95a98054629b

SHA1
fb114e8dcdab6209c8b0b483c9fd57117be742be

SHA256
d81d05c2f3ea30a515a04f23c7f98566b4fd309a73ebadc39fda871930d525b0

SHA512
c6734334bca32012b5199782014241f306058692b17db068c86244d56e926a8e12e5a6f31a7188929a81d6a97031244189ea1149e7fc157c74aab282d8b383ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\dee7c0f4-6394-4800-85df-8b33e257bcd0.vbs

Filesize
734B

MD5
5cbde3bffd31e407a9dba748580aabf6

SHA1
9b08e6a90418a6bce5b57b4a27a909d15fd43a15

SHA256
8bcdd9a22c7c17778c3963631d42205a2331841701c6e941925b07236d40bd67

SHA512
ea5052b7cef3e63e85cfd82a81aa87605a86aa86fd05eb45561a5ab1bfffbf6ebc5133053467e544a33500e00f9540edc1f0a4299231d3cf0e58b4084fc698a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d28a1d-4000-4d48-b08e-b91a7cf416ca.vbs

Filesize
734B

MD5
7520f0ae26ca25ce866c1afc616c2539

SHA1
29c37d593aa7276a4618a442c309643c880e85bb

SHA256
2b5a77cbe61042f31f10604b817de4e29868ea0904103d4d0454965a3fd59541

SHA512
f51a9392f0a41b15bdeb72888649566aed1d7d87b6fbf12e4a0a0cbd6854b6ee5919d3622e079ba814461047b9252732cf29fcc3271400e3a95d790866e2dc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9240.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/748-12-0x000000001CCC0000-0x000000001D1E8000-memory.dmp

Filesize
5.2MB

Download
memory/748-1-0x0000000000C30000-0x0000000001124000-memory.dmp

Filesize
5.0MB

Download
memory/748-0-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp

Filesize
8KB

Download
memory/748-11-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/748-16-0x000000001BF60000-0x000000001BF68000-memory.dmp

Filesize
32KB

Download
memory/748-17-0x000000001BF70000-0x000000001BF78000-memory.dmp

Filesize
32KB

Download
memory/748-18-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/748-13-0x0000000002390000-0x000000000239A000-memory.dmp

Filesize
40KB

Download
memory/748-14-0x000000001BF40000-0x000000001BF4E000-memory.dmp

Filesize
56KB

Download
memory/748-10-0x0000000002370000-0x000000000237A000-memory.dmp

Filesize
40KB

Download
memory/748-140-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

Filesize
10.8MB

Download
memory/748-2-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

Filesize
10.8MB

Download
memory/748-15-0x000000001BF50000-0x000000001BF5E000-memory.dmp

Filesize
56KB

Download
memory/748-3-0x000000001BFF0000-0x000000001C11E000-memory.dmp

Filesize
1.2MB

Download
memory/748-6-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/748-7-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/748-9-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/748-8-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/748-5-0x000000001BEF0000-0x000000001BF40000-memory.dmp

Filesize
320KB

Download
memory/748-4-0x0000000002300000-0x000000000231C000-memory.dmp

Filesize
112KB

Download
memory/1668-75-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2620-150-0x0000022770D10000-0x0000022770D32000-memory.dmp

Filesize
136KB

Download
memory/4524-268-0x000000001B260000-0x000000001B272000-memory.dmp

Filesize
72KB

Download