colibri | bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Size

4.9MB
MD5

a521b23108ca72a0a8e837bb4bc6c309
SHA1

a80623d726004b9c0086377c19f822a67af0c490
SHA256

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec
SHA512

33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8r:j

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3760	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3760	schtasks.exe	83

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exelsass.exelsass.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4916-3-0x000000001BAA0000-0x000000001BBCE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4928	powershell.exe
3596	powershell.exe
3984	powershell.exe
4612	powershell.exe
936	powershell.exe
2248	powershell.exe
4584	powershell.exe
4272	powershell.exe
1920	powershell.exe
2916	powershell.exe
5032	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exelsass.exelsass.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation

Executes dropped EXE 64 IoCs

Processes:

tmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exe

pid	Process
1464	tmp9184.tmp.exe
2704	tmp9184.tmp.exe
1524	tmp9184.tmp.exe
4424	tmp9184.tmp.exe
4376	tmp9184.tmp.exe
3632	tmp9184.tmp.exe
4416	tmp9184.tmp.exe
4348	tmp9184.tmp.exe
2024	tmp9184.tmp.exe
1368	tmp9184.tmp.exe
3584	tmp9184.tmp.exe
3252	tmp9184.tmp.exe
624	tmp9184.tmp.exe
228	tmp9184.tmp.exe
2552	tmp9184.tmp.exe
4420	tmp9184.tmp.exe
908	tmp9184.tmp.exe
4340	tmp9184.tmp.exe
4964	tmp9184.tmp.exe
2756	tmp9184.tmp.exe
2264	tmp9184.tmp.exe
1760	tmp9184.tmp.exe
4264	tmp9184.tmp.exe
4484	tmp9184.tmp.exe
4632	tmp9184.tmp.exe
1944	tmp9184.tmp.exe
2988	tmp9184.tmp.exe
1532	tmp9184.tmp.exe
4588	tmp9184.tmp.exe
4936	tmp9184.tmp.exe
3660	tmp9184.tmp.exe
4976	tmp9184.tmp.exe
3516	tmp9184.tmp.exe
804	tmp9184.tmp.exe
1948	tmp9184.tmp.exe
4896	tmp9184.tmp.exe
3836	tmp9184.tmp.exe
3052	tmp9184.tmp.exe
4148	tmp9184.tmp.exe
4136	tmp9184.tmp.exe
3984	tmp9184.tmp.exe
3996	tmp9184.tmp.exe
3224	tmp9184.tmp.exe
1872	tmp9184.tmp.exe
2784	tmp9184.tmp.exe
1128	tmp9184.tmp.exe
3676	tmp9184.tmp.exe
3300	tmp9184.tmp.exe
2160	tmp9184.tmp.exe
752	tmp9184.tmp.exe
1124	tmp9184.tmp.exe
2972	tmp9184.tmp.exe
2600	tmp9184.tmp.exe
4528	tmp9184.tmp.exe
3768	tmp9184.tmp.exe
3928	tmp9184.tmp.exe
1036	tmp9184.tmp.exe
4432	tmp9184.tmp.exe
1380	tmp9184.tmp.exe
4616	tmp9184.tmp.exe
3440	tmp9184.tmp.exe
2172	tmp9184.tmp.exe
5100	tmp9184.tmp.exe
4644	tmp9184.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exelsass.exelsass.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Suspicious use of SetThreadContext 7 IoCs

Processes:

tmpC61F.tmp.exe

description	pid	Process	procid_target
PID 2692 set thread context of 112	2692	tmpC61F.tmp.exe	715
PID 3740 set thread context of 1820	3740		1598
PID 2900 set thread context of 4380	2900		2641
PID 4968 set thread context of 3184	4968		4249
PID 392 set thread context of 3564	392		4511
PID 4000 set thread context of 4612	4000		5300
PID 2344 set thread context of 4380	2344		6177

Drops file in Program Files directory 32 IoCs

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\en-US\Registry.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\69ddcba757bf72	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\ee2ad38f3d4382	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\smss.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\dllhost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Registry.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\smss.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB1AF.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows NT\Registry.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows NT\ee2ad38f3d4382	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX9A53.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\5940a34987c991	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX9C67.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\66fc9ff0ee96c2	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\services.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXAF9A.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\dllhost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Mail\c5b4cb5e9653cc	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6cb0b6c459d5d3	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX9211.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCXA4A8.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\Registry.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCXB3B3.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Mail\services.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\RCXAAF5.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Drops file in Windows directory 8 IoCs

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

description	ioc	Process
File opened for modification	C:\Windows\TAPI\RCXA8D1.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Windows\TAPI\explorer.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\L2Schemas\lsass.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Windows\L2Schemas\lsass.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\L2Schemas\6203df4a6bafc7	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\TAPI\explorer.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\TAPI\7a0fd90576e088	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Windows\L2Schemas\RCX8FFC.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9184.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language

Modifies registry class 11 IoCs

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exelsass.exelsass.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2784	schtasks.exe
2552	schtasks.exe
3500	schtasks.exe
5064	schtasks.exe
1636	schtasks.exe
5056	schtasks.exe
5012	schtasks.exe
3428	schtasks.exe
216	schtasks.exe
1140	schtasks.exe
908	schtasks.exe
2800	schtasks.exe
892	schtasks.exe
1620	schtasks.exe
4644	schtasks.exe
2864	schtasks.exe
2744	schtasks.exe
3052	schtasks.exe
4908	schtasks.exe
2428	schtasks.exe
744	schtasks.exe
2636	schtasks.exe
1044	schtasks.exe
760	schtasks.exe
4088	schtasks.exe
4468	schtasks.exe
5088	schtasks.exe
1924	schtasks.exe
4896	schtasks.exe
2752	schtasks.exe
4764	schtasks.exe
3740	schtasks.exe
1764	schtasks.exe
1876	schtasks.exe
2516	schtasks.exe
2100	schtasks.exe
3872	schtasks.exe
2756	schtasks.exe
4248	schtasks.exe
3200	schtasks.exe
5100	schtasks.exe
1604	schtasks.exe
2296	schtasks.exe
3796	schtasks.exe
4028	schtasks.exe
3140	schtasks.exe
1920	schtasks.exe
3648	schtasks.exe
4964	schtasks.exe
4976	schtasks.exe
3176	schtasks.exe
3464	schtasks.exe
1888	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exe

pid	Process
4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4612	powershell.exe
4612	powershell.exe
3596	powershell.exe
3596	powershell.exe
2916	powershell.exe
2916	powershell.exe
2248	powershell.exe
2248	powershell.exe
4584	powershell.exe
4584	powershell.exe
5032	powershell.exe
5032	powershell.exe
1920	powershell.exe
1920	powershell.exe
936	powershell.exe
936	powershell.exe
3984	powershell.exe
3984	powershell.exe
4928	powershell.exe
4928	powershell.exe
4272	powershell.exe
4272	powershell.exe
2248	powershell.exe
4272	powershell.exe
936	powershell.exe
4612	powershell.exe
3984	powershell.exe
3596	powershell.exe
2916	powershell.exe
5032	powershell.exe
1920	powershell.exe
4584	powershell.exe
4928	powershell.exe
4088	lsass.exe
4088	lsass.exe
4800	lsass.exe
4424
1540
4844
3056
4964
400
2988
392

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4088	lsass.exe
Token: SeDebugPrivilege	4800	lsass.exe
Token: SeDebugPrivilege	4424
Token: SeDebugPrivilege	1540
Token: SeDebugPrivilege	4844
Token: SeDebugPrivilege	3056
Token: SeDebugPrivilege	4964
Token: SeDebugPrivilege	400
Token: SeDebugPrivilege	2988
Token: SeDebugPrivilege	392

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exetmp9184.tmp.exe

description	pid	Process	procid_target
PID 4916 wrote to memory of 1464	4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	138
PID 4916 wrote to memory of 1464	4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	138
PID 4916 wrote to memory of 1464	4916	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	138
PID 1464 wrote to memory of 2704	1464	tmp9184.tmp.exe	140
PID 1464 wrote to memory of 2704	1464	tmp9184.tmp.exe	140
PID 1464 wrote to memory of 2704	1464	tmp9184.tmp.exe	140
PID 2704 wrote to memory of 1524	2704	tmp9184.tmp.exe	141
PID 2704 wrote to memory of 1524	2704	tmp9184.tmp.exe	141
PID 2704 wrote to memory of 1524	2704	tmp9184.tmp.exe	141
PID 1524 wrote to memory of 4424	1524	tmp9184.tmp.exe	142
PID 1524 wrote to memory of 4424	1524	tmp9184.tmp.exe	142
PID 1524 wrote to memory of 4424	1524	tmp9184.tmp.exe	142
PID 4424 wrote to memory of 4376	4424	tmp9184.tmp.exe	143
PID 4424 wrote to memory of 4376	4424	tmp9184.tmp.exe	143
PID 4424 wrote to memory of 4376	4424	tmp9184.tmp.exe	143
PID 4376 wrote to memory of 3632	4376	tmp9184.tmp.exe	144
PID 4376 wrote to memory of 3632	4376	tmp9184.tmp.exe	144
PID 4376 wrote to memory of 3632	4376	tmp9184.tmp.exe	144
PID 3632 wrote to memory of 4416	3632	tmp9184.tmp.exe	145
PID 3632 wrote to memory of 4416	3632	tmp9184.tmp.exe	145
PID 3632 wrote to memory of 4416	3632	tmp9184.tmp.exe	145
PID 4416 wrote to memory of 4348	4416	tmp9184.tmp.exe	146
PID 4416 wrote to memory of 4348	4416	tmp9184.tmp.exe	146
PID 4416 wrote to memory of 4348	4416	tmp9184.tmp.exe	146
PID 4348 wrote to memory of 2024	4348	tmp9184.tmp.exe	269
PID 4348 wrote to memory of 2024	4348	tmp9184.tmp.exe	269
PID 4348 wrote to memory of 2024	4348	tmp9184.tmp.exe	269
PID 2024 wrote to memory of 1368	2024	tmp9184.tmp.exe	148
PID 2024 wrote to memory of 1368	2024	tmp9184.tmp.exe	148
PID 2024 wrote to memory of 1368	2024	tmp9184.tmp.exe	148
PID 1368 wrote to memory of 3584	1368	tmp9184.tmp.exe	149
PID 1368 wrote to memory of 3584	1368	tmp9184.tmp.exe	149
PID 1368 wrote to memory of 3584	1368	tmp9184.tmp.exe	149
PID 3584 wrote to memory of 3252	3584	tmp9184.tmp.exe	206
PID 3584 wrote to memory of 3252	3584	tmp9184.tmp.exe	206
PID 3584 wrote to memory of 3252	3584	tmp9184.tmp.exe	206
PID 3252 wrote to memory of 624	3252	tmp9184.tmp.exe	151
PID 3252 wrote to memory of 624	3252	tmp9184.tmp.exe	151
PID 3252 wrote to memory of 624	3252	tmp9184.tmp.exe	151
PID 624 wrote to memory of 228	624	tmp9184.tmp.exe	152
PID 624 wrote to memory of 228	624	tmp9184.tmp.exe	152
PID 624 wrote to memory of 228	624	tmp9184.tmp.exe	152
PID 228 wrote to memory of 2552	228	tmp9184.tmp.exe	211
PID 228 wrote to memory of 2552	228	tmp9184.tmp.exe	211
PID 228 wrote to memory of 2552	228	tmp9184.tmp.exe	211
PID 2552 wrote to memory of 4420	2552	tmp9184.tmp.exe	154
PID 2552 wrote to memory of 4420	2552	tmp9184.tmp.exe	154
PID 2552 wrote to memory of 4420	2552	tmp9184.tmp.exe	154
PID 4420 wrote to memory of 908	4420	tmp9184.tmp.exe	155
PID 4420 wrote to memory of 908	4420	tmp9184.tmp.exe	155
PID 4420 wrote to memory of 908	4420	tmp9184.tmp.exe	155
PID 908 wrote to memory of 4340	908	tmp9184.tmp.exe	156
PID 908 wrote to memory of 4340	908	tmp9184.tmp.exe	156
PID 908 wrote to memory of 4340	908	tmp9184.tmp.exe	156
PID 4340 wrote to memory of 4964	4340	tmp9184.tmp.exe	157
PID 4340 wrote to memory of 4964	4340	tmp9184.tmp.exe	157
PID 4340 wrote to memory of 4964	4340	tmp9184.tmp.exe	157
PID 4964 wrote to memory of 2756	4964	tmp9184.tmp.exe	158
PID 4964 wrote to memory of 2756	4964	tmp9184.tmp.exe	158
PID 4964 wrote to memory of 2756	4964	tmp9184.tmp.exe	158
PID 2756 wrote to memory of 2264	2756	tmp9184.tmp.exe	159
PID 2756 wrote to memory of 2264	2756	tmp9184.tmp.exe	159
PID 2756 wrote to memory of 2264	2756	tmp9184.tmp.exe	159
PID 2264 wrote to memory of 1760	2264	tmp9184.tmp.exe	160

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

lsass.exebd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exelsass.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
"C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4916
- C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        37⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        41⤵
        Executes dropped EXE
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        43⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        45⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        50⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        51⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        52⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        53⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        54⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        55⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        56⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        57⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        58⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        59⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        60⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        61⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        62⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        63⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        64⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        65⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        66⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        67⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        68⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        69⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        70⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        71⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        72⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        73⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        74⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        75⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        76⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        77⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        78⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        79⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        80⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        81⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        82⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        83⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        84⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        85⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        86⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        87⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        88⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        89⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        90⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        91⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        92⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        93⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        94⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        95⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        96⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        97⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        98⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        99⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        100⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        101⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        102⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        103⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        104⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        105⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        106⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        107⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        108⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        109⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        110⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        111⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        112⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        113⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        114⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        115⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        116⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        117⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        118⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        119⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        120⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        121⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        122⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        123⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        124⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        125⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        126⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        127⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        128⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        129⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        130⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        131⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        132⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        133⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        134⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        135⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        136⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        137⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        138⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        139⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        140⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        141⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        142⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        143⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        144⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        145⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        146⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        147⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        148⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        149⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        150⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        151⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        152⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        154⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        155⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        156⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        157⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        158⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        159⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        160⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        161⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        162⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        163⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        164⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        165⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        166⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        167⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        168⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        169⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        170⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        171⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        172⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        173⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        174⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        175⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        176⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        177⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        178⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        179⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        180⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        181⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        182⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        183⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        184⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        185⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        186⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        187⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        188⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        189⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        190⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        191⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        192⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        193⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        194⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        195⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        196⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        197⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        198⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        199⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        200⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        201⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        202⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        203⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        204⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        205⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        206⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        207⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        208⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        209⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        210⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        211⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        212⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        213⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        214⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        215⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        216⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        217⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        218⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        219⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        220⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        221⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        222⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        223⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        224⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        225⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        226⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        227⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        228⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        229⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        230⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        231⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        232⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        233⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        234⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        235⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        236⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        237⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        238⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        239⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        240⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        241⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        242⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        243⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        244⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        245⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        246⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        247⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        248⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        249⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        250⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        251⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        252⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        253⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        254⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        255⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        256⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        257⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        258⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        259⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        260⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        261⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        262⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        263⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        264⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        265⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        266⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        267⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        268⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        269⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        270⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        271⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        272⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        273⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        274⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        275⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        276⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        277⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        278⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        279⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        280⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        282⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        283⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        284⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        285⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        286⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        287⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        288⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        289⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        290⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        291⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        292⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        293⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        294⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        295⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        296⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        297⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        298⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        299⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        300⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        301⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        302⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        303⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        304⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        305⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        306⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        307⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        308⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        309⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        310⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        311⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        312⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        313⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        314⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        315⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        316⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        317⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        318⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        319⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        320⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        321⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        322⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        323⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        324⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        325⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        326⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        327⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        328⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        329⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        330⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        331⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        332⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        333⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        334⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        336⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        337⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        338⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        339⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        340⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        341⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        342⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        343⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        344⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        345⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        346⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        347⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        348⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        349⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        350⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        351⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        352⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        353⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        354⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        355⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        356⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        357⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        358⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        359⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        360⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        361⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        362⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        363⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        364⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        365⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        366⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        367⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        368⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        369⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        370⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        371⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        372⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        373⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        374⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        375⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        376⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        377⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        378⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        379⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        380⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        381⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        382⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        383⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        384⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        385⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        386⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        387⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        388⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        389⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        390⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        391⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        392⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        393⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        394⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        395⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        396⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        397⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        398⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        399⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        400⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        401⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        402⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        403⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        404⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        405⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        406⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        407⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        408⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        409⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        410⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        411⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        412⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        413⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        414⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        415⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        416⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        417⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        418⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        419⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        420⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        421⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        422⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        423⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        424⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        425⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        426⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        427⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        428⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        429⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        430⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        431⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        432⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        433⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        434⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        435⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        436⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        437⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        438⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        439⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        440⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        441⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        442⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        443⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        444⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        445⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        446⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        447⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        448⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        449⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        450⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        451⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        452⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        453⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        454⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        455⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        456⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        457⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        458⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        459⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        460⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        461⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        462⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        463⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        464⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        465⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        466⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        467⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        468⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        469⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        470⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        471⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        472⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        473⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        474⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        475⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        476⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        477⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        478⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        479⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        480⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        481⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        482⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        483⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        484⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        485⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        486⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        487⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        488⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        489⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        490⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        491⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        492⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        493⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        494⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        495⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        496⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        497⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        498⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        499⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        500⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        501⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        502⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        503⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        504⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        505⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        506⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        507⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        508⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        509⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        510⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        511⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        512⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        513⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        514⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        515⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        516⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        517⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        518⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        519⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        520⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        521⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        522⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        523⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        524⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        525⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        526⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        527⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        528⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        529⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        530⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        531⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        532⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        533⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        534⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        535⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        536⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        537⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        538⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        539⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        540⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        541⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        542⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        543⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        544⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        545⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        546⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        547⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        548⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        549⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        550⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        551⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        552⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        553⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        554⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        555⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        556⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        557⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        558⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        559⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        560⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        561⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        562⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        563⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        564⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        565⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        566⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        567⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        568⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        569⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        570⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        571⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        572⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        573⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        574⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        575⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        576⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        577⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        578⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        579⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        580⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        581⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        582⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        583⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        584⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        585⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        586⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        587⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        588⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        589⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        590⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        591⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        592⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        593⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        594⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        595⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        596⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        597⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        598⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        599⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        600⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        601⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        602⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        603⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        604⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        605⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        606⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        607⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        608⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        609⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        610⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        611⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        612⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        613⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        614⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        615⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        616⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        617⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        618⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        619⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        620⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        621⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        622⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        623⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        624⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        625⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        626⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        627⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        628⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        629⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        630⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        631⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        632⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        633⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        634⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        635⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        636⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        637⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        638⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        639⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        640⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        641⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        642⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        643⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        644⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        645⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        646⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        647⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        648⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        649⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        650⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        651⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        652⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        653⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        654⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        655⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        656⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        657⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        658⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        659⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        660⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        661⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        662⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        663⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        664⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        665⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        666⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        667⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        668⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        669⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        670⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        671⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        672⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        673⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        674⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        675⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        676⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        677⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        678⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        679⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        680⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        681⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        682⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        683⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        684⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        685⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        686⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        687⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        688⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        689⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        690⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        691⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        692⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        693⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        694⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        695⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        696⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        697⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        698⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        699⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        700⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        701⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        702⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        703⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        704⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        705⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        706⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        707⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        708⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        709⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        710⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        711⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        712⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        713⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        714⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        715⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        716⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        717⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        718⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        719⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        720⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        721⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        722⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        723⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        724⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        725⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        726⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        727⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        728⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        729⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        730⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        731⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        732⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        733⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        734⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        735⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        736⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        737⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        738⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        739⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        740⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        741⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        742⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        743⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        744⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        745⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        746⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        747⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        748⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        749⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        750⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        751⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        752⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        753⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        754⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        755⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        756⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        757⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        758⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        759⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        760⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        761⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        762⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        763⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        764⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        765⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        766⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        767⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        768⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        769⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        770⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        771⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        772⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        773⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        774⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        775⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        776⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        777⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        778⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        779⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        780⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        781⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        782⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        783⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        784⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        785⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        786⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        787⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        788⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        789⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        790⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        791⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        792⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        793⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        794⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        795⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        796⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        797⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        798⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        799⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        800⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        801⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        802⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        803⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        804⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        805⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        806⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        807⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        808⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        809⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        810⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        811⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        812⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        813⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        814⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        815⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        816⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        817⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        818⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        819⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        820⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        821⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        822⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        823⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        824⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        825⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        826⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        827⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        828⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        829⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        830⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        831⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        832⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        833⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        834⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        835⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        836⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        837⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        838⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        839⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        840⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        841⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        842⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        843⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        844⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        845⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        846⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        847⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        848⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        849⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        850⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        851⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        852⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        853⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        854⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        855⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        856⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        857⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        858⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        859⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        860⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        861⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        862⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        863⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        864⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        865⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        866⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        867⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        868⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        869⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        870⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        871⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        872⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        873⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        874⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        875⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        876⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        877⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        878⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        879⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        880⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        881⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        882⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        883⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        884⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        885⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        886⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        887⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        888⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        889⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        890⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        891⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        892⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        893⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        894⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        895⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        896⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        897⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        898⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        899⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        900⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        901⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        902⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        903⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        904⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        905⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        906⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        907⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        908⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        909⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        910⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        911⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        912⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        913⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        914⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        915⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        916⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        917⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        918⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        919⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        920⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        921⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        922⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        923⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        924⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        925⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        926⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        927⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        928⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        929⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        930⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        931⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        932⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        933⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        934⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        935⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        936⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        937⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        938⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        939⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        940⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        941⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        942⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        943⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        944⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe"
        945⤵
        
        PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\L2Schemas\lsass.exe
  "C:\Windows\L2Schemas\lsass.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4088
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4334cb9-5ae4-4ffb-b428-21bf13c1e6ae.vbs"
    3⤵
    PID:4588
  - - C:\Windows\L2Schemas\lsass.exe
      C:\Windows\L2Schemas\lsass.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:4800
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f317d19e-6870-47d3-8abf-4c6bcff4140a.vbs"
        5⤵
        
        PID:4480
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daa34637-0953-4c7c-b926-75e19f9da204.vbs"
        5⤵
        
        PID:5080
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b574f82-7557-4e10-8997-3dcc24fb71fa.vbs"
    3⤵
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.exe"
      4⤵
      PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Local\Microsoft\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Local\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\3D Objects\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\3D Objects\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2024

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2304

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\RCX9C67.tmp

Filesize
4.9MB

MD5
a9171fed2c0fa9de1fef405ec2b30080

SHA1
a544563de988a18bcc98cdd55732fdc595f80e92

SHA256
3687237ceba142205c1f6678cbe52eb9b39c0c24c16e4c10e7ece5aa283a8f05

SHA512
d4732dfe04b6309d8402d02047c55b08d2f6d123232116edd3fe353fe75a3a8e2751e2e3d9e15e7c5b3d79f06c2818411cb992f882ee9ecb86b324b473a380b6

Download Submit
C:\Users\Admin\3D Objects\StartMenuExperienceHost.exe

Filesize
4.9MB

MD5
a521b23108ca72a0a8e837bb4bc6c309

SHA1
a80623d726004b9c0086377c19f822a67af0c490

SHA256
bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

SHA512
33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k00zoqkx.ewt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\daa34637-0953-4c7c-b926-75e19f9da204.vbs

Filesize
482B

MD5
28cfd6bd1c01d28c9301094acc6eb22f

SHA1
45691fb8ee57955245328fa2838a31474fe8853d

SHA256
df0b3afee54db327b32c3c67882a7df5da37c6c1110ca4b6238d2e7edccb2e9e

SHA512
a1b06d05a7aa38105a7bddfae10ce063fedb96fe5e09d463328cf324a9cb7488468f65b0658b741f9175c6540227bb962d033ade66b56d674d8348264e517529

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9184.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/112-1511-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3056-5963-0x000000001D240000-0x000000001D252000-memory.dmp

Filesize
72KB

Download
memory/3564-13420-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/3596-1107-0x000001F33B5E0000-0x000001F33B602000-memory.dmp

Filesize
136KB

Download
memory/4424-3311-0x000000001D5F0000-0x000000001D602000-memory.dmp

Filesize
72KB

Download
memory/4844-5240-0x000000001D9F0000-0x000000001DA02000-memory.dmp

Filesize
72KB

Download
memory/4916-8-0x000000001C120000-0x000000001C136000-memory.dmp

Filesize
88KB

Download
memory/4916-691-0x00007FFB1AC13000-0x00007FFB1AC15000-memory.dmp

Filesize
8KB

Download
memory/4916-13-0x000000001C1C0000-0x000000001C1CA000-memory.dmp

Filesize
40KB

Download
memory/4916-14-0x000000001C1D0000-0x000000001C1DE000-memory.dmp

Filesize
56KB

Download
memory/4916-15-0x000000001C1E0000-0x000000001C1EE000-memory.dmp

Filesize
56KB

Download
memory/4916-16-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

Filesize
32KB

Download
memory/4916-18-0x000000001C310000-0x000000001C31C000-memory.dmp

Filesize
48KB

Download
memory/4916-17-0x000000001C200000-0x000000001C208000-memory.dmp

Filesize
32KB

Download
memory/4916-11-0x000000001C1B0000-0x000000001C1C2000-memory.dmp

Filesize
72KB

Download
memory/4916-10-0x000000001C150000-0x000000001C15A000-memory.dmp

Filesize
40KB

Download
memory/4916-9-0x000000001C140000-0x000000001C150000-memory.dmp

Filesize
64KB

Download
memory/4916-12-0x000000001C6F0000-0x000000001CC18000-memory.dmp

Filesize
5.2MB

Download
memory/4916-814-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-0-0x00007FFB1AC13000-0x00007FFB1AC15000-memory.dmp

Filesize
8KB

Download
memory/4916-6-0x0000000002E20000-0x0000000002E28000-memory.dmp

Filesize
32KB

Download
memory/4916-1221-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-7-0x000000001C110000-0x000000001C120000-memory.dmp

Filesize
64KB

Download
memory/4916-5-0x000000001C160000-0x000000001C1B0000-memory.dmp

Filesize
320KB

Download
memory/4916-4-0x000000001BA70000-0x000000001BA8C000-memory.dmp

Filesize
112KB

Download
memory/4916-3-0x000000001BAA0000-0x000000001BBCE000-memory.dmp

Filesize
1.2MB

Download
memory/4916-2-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-1-0x0000000000770000-0x0000000000C64000-memory.dmp

Filesize
5.0MB

Download