colibri | 15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5

Analysis

max time kernel
112s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Size

4.9MB
MD5

0ebd2dc160f7d5627aef291ba8fe1723
SHA1

f19f6aae9588fa548e768924114b4a6ca6021c9e
SHA256

15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5
SHA512

aa5dd361118de60d42e5cb1fec62011cda145d721c04f736d2e27984e7eb478e884bacc5f5ac7b957d3e2786035341d1906886a0eed511ec3e54278e68dbc161
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx82:u

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3868	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	3868	schtasks.exe	83

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2204-3-0x000000001B970000-0x000000001BA9E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.exe
2828	powershell.exe
800	powershell.exe
3688	powershell.exe
2956	powershell.exe
4808	powershell.exe
1836	powershell.exe
1608	powershell.exe
1320	powershell.exe
3408	powershell.exe
3316	powershell.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 64 IoCs

pid	Process
3604	tmpB289.tmp.exe
4388	tmpB289.tmp.exe
2832	SearchApp.exe
3236	tmpF637.tmp.exe
3632	tmpF637.tmp.exe
668	SearchApp.exe
516	tmp2834.tmp.exe
4468	tmp2834.tmp.exe
2632	tmp2834.tmp.exe
1100	SearchApp.exe
1436	tmp44C4.tmp.exe
3688	tmp44C4.tmp.exe
3896	SearchApp.exe
2760	tmp773E.tmp.exe
3840	tmp773E.tmp.exe
3012	SearchApp.exe
4948	tmp96CC.tmp.exe
5092	tmp96CC.tmp.exe
2452	SearchApp.exe
3580	tmpB32E.tmp.exe
2744	tmpB32E.tmp.exe
628	SearchApp.exe
4916	tmpE4AE.tmp.exe
2216	tmpE4AE.tmp.exe
440	tmpE4AE.tmp.exe
4316	SearchApp.exe
4128	tmp169B.tmp.exe
1196	tmp169B.tmp.exe
4428	tmp169B.tmp.exe
1656	tmp169B.tmp.exe
4908	tmp169B.tmp.exe
452	tmp169B.tmp.exe
4080	tmp169B.tmp.exe
800	tmp169B.tmp.exe
3984	tmp169B.tmp.exe
3236	tmp169B.tmp.exe
1924	tmp169B.tmp.exe
1376	tmp169B.tmp.exe
2296	tmp169B.tmp.exe
3876	tmp169B.tmp.exe
4120	tmp169B.tmp.exe
2396	tmp169B.tmp.exe
4032	tmp169B.tmp.exe
384	tmp169B.tmp.exe
3992	tmp169B.tmp.exe
2452	tmp169B.tmp.exe
536	tmp169B.tmp.exe
3608	tmp169B.tmp.exe
1092	tmp169B.tmp.exe
3800	tmp169B.tmp.exe
3840	tmp169B.tmp.exe
4828	tmp169B.tmp.exe
1396	tmp169B.tmp.exe
5112	tmp169B.tmp.exe
4008	tmp169B.tmp.exe
3928	tmp169B.tmp.exe
2408	tmp169B.tmp.exe
4952	tmp169B.tmp.exe
3124	tmp169B.tmp.exe
2768	tmp169B.tmp.exe
4816	tmp169B.tmp.exe
1736	tmp169B.tmp.exe
4588	tmp169B.tmp.exe
4612	tmp169B.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3604 set thread context of 4388	3604	tmpB289.tmp.exe	128
PID 3236 set thread context of 3632	3236	tmpF637.tmp.exe	173
PID 4468 set thread context of 2632	4468	tmp2834.tmp.exe	185
PID 1436 set thread context of 3688	1436	tmp44C4.tmp.exe	195
PID 2760 set thread context of 3840	2760	tmp773E.tmp.exe	204
PID 4948 set thread context of 5092	4948	tmp96CC.tmp.exe	212
PID 3580 set thread context of 2744	3580	tmpB32E.tmp.exe	221
PID 2216 set thread context of 440	2216	tmpE4AE.tmp.exe	231
PID 1356 set thread context of 2956	1356	tmp336A.tmp.exe	528

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\sppsvc.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files (x86)\Windows Mail\ee2ad38f3d4382	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXBCA0.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCXBEE3.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\7a0fd90576e088	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\sppsvc.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXCDEE.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\services.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\Registry.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files\Microsoft Office 15\spoolsv.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files\Microsoft Office 15\f3b6ecef712a24	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files (x86)\Windows Mail\Registry.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCXB411.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXB634.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\0a1fd5f707cd16	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files\Java\jdk-1.8\services.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Program Files\Java\jdk-1.8\c5b4cb5e9653cc	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXC31B.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Program Files\Microsoft Office 15\spoolsv.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\38384e6a620884	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\PLA\Reports\de-DE\121e5b5079f7c0	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\OCR\RuntimeBroker.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\ModemLogs\22eafd247d37c3	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\ModemLogs\TextInputHost.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\twain_32\SearchApp.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\twain_32\SearchApp.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\PLA\Reports\de-DE\sysmon.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\twain_32\RCXB1FB.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\sysmon.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\tracing\RuntimeBroker.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\tracing\RCXC744.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\tracing\RuntimeBroker.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\ModemLogs\RCXC958.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\tracing\9e8d7a4ca61bd9	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\ModemLogs\TextInputHost.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\RCXBA8C.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2834.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp169B.tmp.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4588	schtasks.exe
2356	schtasks.exe
2828	schtasks.exe
3676	schtasks.exe
3504	schtasks.exe
3248	schtasks.exe
988	schtasks.exe
4012	schtasks.exe
4940	schtasks.exe
4616	schtasks.exe
1592	schtasks.exe
2692	schtasks.exe
1888	schtasks.exe
2956	schtasks.exe
4464	schtasks.exe
724	schtasks.exe
3412	schtasks.exe
1864	schtasks.exe
820	schtasks.exe
1432	schtasks.exe
3408	schtasks.exe
264	schtasks.exe
4504	schtasks.exe
4944	schtasks.exe
4932	schtasks.exe
2940	schtasks.exe
5048	schtasks.exe
2800	schtasks.exe
4164	schtasks.exe
2816	schtasks.exe
4284	schtasks.exe
1608	schtasks.exe
4948	schtasks.exe
3892	schtasks.exe
1652	schtasks.exe
468	schtasks.exe
740	schtasks.exe
2464	schtasks.exe
4700	schtasks.exe
1404	schtasks.exe
1144	schtasks.exe
840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
3688	powershell.exe
3688	powershell.exe
2828	powershell.exe
2828	powershell.exe
1836	powershell.exe
1836	powershell.exe
3316	powershell.exe
3316	powershell.exe
1320	powershell.exe
1320	powershell.exe
800	powershell.exe
800	powershell.exe
1608	powershell.exe
1608	powershell.exe
3408	powershell.exe
3408	powershell.exe
2188	powershell.exe
2188	powershell.exe
4808	powershell.exe
4808	powershell.exe
2956	powershell.exe
2956	powershell.exe
2956	powershell.exe
2188	powershell.exe
3688	powershell.exe
3688	powershell.exe
1836	powershell.exe
1836	powershell.exe
2828	powershell.exe
2828	powershell.exe
3408	powershell.exe
800	powershell.exe
4808	powershell.exe
1320	powershell.exe
3316	powershell.exe
1608	powershell.exe
2832	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2832	SearchApp.exe
Token: SeDebugPrivilege	668	SearchApp.exe
Token: SeDebugPrivilege	1100	SearchApp.exe
Token: SeDebugPrivilege	3896	SearchApp.exe
Token: SeDebugPrivilege	3012	SearchApp.exe
Token: SeDebugPrivilege	2452	SearchApp.exe
Token: SeDebugPrivilege	628	SearchApp.exe
Token: SeDebugPrivilege	4316	SearchApp.exe
Token: SeDebugPrivilege	4340	SearchApp.exe
Token: SeDebugPrivilege	3572	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3604	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	126
PID 2204 wrote to memory of 3604	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	126
PID 2204 wrote to memory of 3604	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	126
PID 3604 wrote to memory of 4388	3604	tmpB289.tmp.exe	128
PID 3604 wrote to memory of 4388	3604	tmpB289.tmp.exe	128
PID 3604 wrote to memory of 4388	3604	tmpB289.tmp.exe	128
PID 3604 wrote to memory of 4388	3604	tmpB289.tmp.exe	128
PID 3604 wrote to memory of 4388	3604	tmpB289.tmp.exe	128
PID 3604 wrote to memory of 4388	3604	tmpB289.tmp.exe	128
PID 3604 wrote to memory of 4388	3604	tmpB289.tmp.exe	128
PID 2204 wrote to memory of 2188	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	138
PID 2204 wrote to memory of 2188	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	138
PID 2204 wrote to memory of 2828	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	139
PID 2204 wrote to memory of 2828	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	139
PID 2204 wrote to memory of 1836	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	140
PID 2204 wrote to memory of 1836	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	140
PID 2204 wrote to memory of 1608	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	141
PID 2204 wrote to memory of 1608	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	141
PID 2204 wrote to memory of 4808	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	142
PID 2204 wrote to memory of 4808	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	142
PID 2204 wrote to memory of 3316	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	143
PID 2204 wrote to memory of 3316	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	143
PID 2204 wrote to memory of 2956	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	144
PID 2204 wrote to memory of 2956	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	144
PID 2204 wrote to memory of 3408	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	146
PID 2204 wrote to memory of 3408	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	146
PID 2204 wrote to memory of 3688	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	147
PID 2204 wrote to memory of 3688	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	147
PID 2204 wrote to memory of 1320	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	149
PID 2204 wrote to memory of 1320	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	149
PID 2204 wrote to memory of 800	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	151
PID 2204 wrote to memory of 800	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	151
PID 2204 wrote to memory of 1876	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	159
PID 2204 wrote to memory of 1876	2204	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	159
PID 1876 wrote to memory of 4192	1876	cmd.exe	165
PID 1876 wrote to memory of 4192	1876	cmd.exe	165
PID 1876 wrote to memory of 2832	1876	cmd.exe	167
PID 1876 wrote to memory of 2832	1876	cmd.exe	167
PID 2832 wrote to memory of 4708	2832	SearchApp.exe	169
PID 2832 wrote to memory of 4708	2832	SearchApp.exe	169
PID 2832 wrote to memory of 4056	2832	SearchApp.exe	170
PID 2832 wrote to memory of 4056	2832	SearchApp.exe	170
PID 2832 wrote to memory of 3236	2832	SearchApp.exe	171
PID 2832 wrote to memory of 3236	2832	SearchApp.exe	171
PID 2832 wrote to memory of 3236	2832	SearchApp.exe	171
PID 3236 wrote to memory of 3632	3236	tmpF637.tmp.exe	173
PID 3236 wrote to memory of 3632	3236	tmpF637.tmp.exe	173
PID 3236 wrote to memory of 3632	3236	tmpF637.tmp.exe	173
PID 3236 wrote to memory of 3632	3236	tmpF637.tmp.exe	173
PID 3236 wrote to memory of 3632	3236	tmpF637.tmp.exe	173
PID 3236 wrote to memory of 3632	3236	tmpF637.tmp.exe	173
PID 3236 wrote to memory of 3632	3236	tmpF637.tmp.exe	173
PID 4708 wrote to memory of 668	4708	WScript.exe	178
PID 4708 wrote to memory of 668	4708	WScript.exe	178
PID 668 wrote to memory of 2316	668	SearchApp.exe	180
PID 668 wrote to memory of 2316	668	SearchApp.exe	180
PID 668 wrote to memory of 4220	668	SearchApp.exe	181
PID 668 wrote to memory of 4220	668	SearchApp.exe	181
PID 668 wrote to memory of 516	668	SearchApp.exe	182
PID 668 wrote to memory of 516	668	SearchApp.exe	182
PID 668 wrote to memory of 516	668	SearchApp.exe	182
PID 516 wrote to memory of 4468	516	tmp2834.tmp.exe	184
PID 516 wrote to memory of 4468	516	tmp2834.tmp.exe	184
PID 516 wrote to memory of 4468	516	tmp2834.tmp.exe	184

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
"C:\Users\Admin\AppData\Local\Temp\15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204
- C:\Users\Admin\AppData\Local\Temp\tmpB289.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB289.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\tmpB289.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB289.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVarqRTQ45.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4192
- - C:\Windows\twain_32\SearchApp.exe
    "C:\Windows\twain_32\SearchApp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2832
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18260dd3-9e7e-4798-945c-0c89f2957501.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:668
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff86ce9f-90d4-44ec-8294-52486c9cc768.vbs"
        6⤵
        
        PID:2316
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbd80c46-8ad1-4fd2-9f52-bf333cb82205.vbs"
        8⤵
        
        PID:2980
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02156f81-1697-4bd2-8fcc-b07056c350cc.vbs"
        10⤵
        
        PID:1084
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e94a76ed-f2b2-4c34-b4e1-ed5d5fea7bf2.vbs"
        12⤵
        
        PID:4616
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80c25b1e-0da0-47eb-b29d-8ea1285182e6.vbs"
        14⤵
        
        PID:2772
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3a01145-9617-4b4e-be9f-f4b5c843101c.vbs"
        16⤵
        
        PID:3924
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7064d191-6a38-43ff-bbed-2c1785953b12.vbs"
        18⤵
        
        PID:4852
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\970ad0c1-1e8d-4798-94ff-7ad6c8b34e97.vbs"
        20⤵
        
        PID:4124
        
        C:\Windows\twain_32\SearchApp.exe
        
        C:\Windows\twain_32\SearchApp.exe
        21⤵
        UAC bypass
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\048d071a-b3b7-4586-81bf-e31300406cf6.vbs"
        22⤵
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2dff114-7b2a-4bc4-a861-50ed2591d641.vbs"
        22⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp6344.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6344.tmp.exe"
        22⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp6344.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6344.tmp.exe"
        23⤵
        
        PID:3800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91a061af-e9f9-4bd1-a0cf-15fcc9e55d2e.vbs"
        20⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp336A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp336A.tmp.exe"
        20⤵
        Suspicious use of SetThreadContext
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp336A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp336A.tmp.exe"
        21⤵
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89cfc168-c6a2-4b66-86bc-9bf49a5344e0.vbs"
        18⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        37⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        39⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        41⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        43⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        45⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        51⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        52⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        53⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        55⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        56⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        57⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        58⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        59⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        60⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        61⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        62⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        63⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        64⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        65⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        66⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        68⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        69⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        70⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        71⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        72⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        73⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        74⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        75⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        77⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        78⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        79⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        80⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        82⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        83⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        84⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        85⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        86⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        87⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        88⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        89⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        90⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        91⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        92⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        93⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        94⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        95⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        96⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        97⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        98⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        99⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        100⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        101⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        103⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        104⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        105⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        106⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        107⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        108⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        109⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        110⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        111⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        113⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        114⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        115⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        116⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        117⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        118⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        119⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        120⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        122⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        123⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        124⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        125⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        126⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        127⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        129⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        130⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        131⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        132⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        133⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        134⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        135⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        136⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        138⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        139⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        140⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        141⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        142⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        143⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        144⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        146⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        147⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        148⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        149⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        151⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        153⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        155⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        156⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        157⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        158⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        159⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        160⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        162⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        163⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        164⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        165⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        166⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        167⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        168⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        169⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        170⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        173⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        174⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        176⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        177⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        178⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        179⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        180⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        181⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        183⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        184⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        185⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        186⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        187⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        189⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        190⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        192⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        194⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        195⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        196⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        197⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        198⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        199⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        200⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        201⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        202⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        203⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        204⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        205⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        206⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        207⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        208⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        209⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        210⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        211⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        212⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        213⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        214⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        215⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        216⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        217⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        218⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        219⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        220⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        221⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        222⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        223⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        224⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        225⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        226⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        227⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        228⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        229⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        230⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        231⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        232⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        233⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        234⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        238⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        239⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        240⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        241⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        243⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        244⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        245⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        246⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        247⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        248⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        250⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        251⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        252⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        253⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        254⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        255⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        256⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        257⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        258⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        259⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        260⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        261⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        262⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        263⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        264⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        265⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        266⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        267⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        268⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        269⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        270⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        271⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        272⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        273⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        274⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        275⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        278⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        279⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        280⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        281⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        282⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        283⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        284⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        285⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        286⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        287⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        288⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        289⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        290⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        291⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        293⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        294⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        295⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        296⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        297⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        298⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        299⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        300⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        301⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        302⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        303⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        305⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        306⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        307⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        308⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        309⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        310⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        311⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        312⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        313⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        314⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        315⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        316⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        317⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        318⤵
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        319⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        320⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        321⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        322⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        323⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        324⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        325⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        326⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        327⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        328⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        329⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        330⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        331⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        332⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        333⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        334⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        335⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        336⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        337⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        338⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        339⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        340⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        341⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        342⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        343⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        344⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        345⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        346⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        347⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        348⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        349⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        350⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        351⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        352⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        353⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        354⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        355⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        356⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        357⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        358⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        359⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        360⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        362⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        363⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        364⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        365⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        366⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        367⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        368⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        369⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        370⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        371⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        372⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        374⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        375⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        376⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        377⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        378⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        379⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        380⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        381⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        382⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        383⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        384⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        385⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        386⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        387⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        388⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        389⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        390⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        391⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        392⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        393⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        394⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        395⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        396⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        397⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        398⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        399⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        400⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        401⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        402⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        403⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        404⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        405⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        406⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        407⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        408⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        409⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        410⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        411⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        412⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        413⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        414⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        415⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        416⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        417⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        418⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        419⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        420⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        421⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        422⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        423⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        424⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        425⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        426⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        427⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        428⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        429⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        430⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        431⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        432⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        433⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        434⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        435⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        436⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        437⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        438⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        439⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        440⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        441⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        442⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        443⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        444⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        445⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        446⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        447⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        448⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        449⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        450⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        451⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        452⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        453⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        454⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        455⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        456⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        457⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        458⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        459⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        460⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        461⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        462⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        463⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        464⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        465⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        466⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        467⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        468⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        469⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        470⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        471⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        472⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        473⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        474⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        475⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        476⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        477⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        478⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        479⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        480⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        481⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        482⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        483⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        484⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        485⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        486⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        487⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        488⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        489⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        490⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        491⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        492⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        493⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        494⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        495⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        496⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        497⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        498⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        499⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        500⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        501⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        502⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        503⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        504⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        505⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        506⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        507⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        508⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        509⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        510⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        511⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        512⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        513⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        514⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        515⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        516⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        517⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        518⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        519⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        520⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        521⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        522⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        523⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        524⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        525⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        526⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        527⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        528⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        529⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        530⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        531⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        532⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        533⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        534⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        535⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        536⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        537⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        538⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        539⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        540⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        541⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        542⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        543⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        544⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        545⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        546⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        547⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        548⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        549⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        550⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        551⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        552⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        553⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        554⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        555⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        556⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        557⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        558⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        559⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        560⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        561⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        562⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        563⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        564⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        565⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        566⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        567⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        568⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        569⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        570⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        571⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        572⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        573⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        574⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        575⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        576⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        577⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        578⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        579⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        580⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        581⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        582⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        583⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        584⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        585⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        586⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        587⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        588⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        589⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        590⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        591⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        592⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        593⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        594⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        595⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        596⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        597⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        598⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        599⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        600⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        601⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        602⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        603⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        604⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        605⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        606⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        607⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        608⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        609⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        610⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        611⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        612⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        613⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        614⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        615⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        616⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        617⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        618⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        619⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        620⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        621⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        622⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        623⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        624⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        625⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        626⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        627⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        628⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        629⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        630⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        631⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        632⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        633⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        634⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        635⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        636⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        637⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        638⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        639⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        640⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        641⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        642⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        643⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        644⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        645⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        646⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        647⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        648⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        649⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        650⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        651⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        652⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        653⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        654⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        655⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        656⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        657⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        658⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        659⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        660⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        661⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        662⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        663⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        664⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        665⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        666⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        667⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        668⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        669⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        670⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        671⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        672⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        673⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        674⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        675⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        676⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        677⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        678⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        679⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        680⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        681⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        682⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        683⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        684⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        685⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        686⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        687⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        688⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        689⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        690⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        691⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        692⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        693⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        694⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        695⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        696⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        697⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        698⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        699⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        700⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        701⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        702⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        703⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        704⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        705⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        706⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        707⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        708⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        709⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        710⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        711⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        712⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        713⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        714⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        715⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        716⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        717⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        718⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        719⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        720⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        721⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        722⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        723⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        724⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        725⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        726⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        727⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        728⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        729⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        730⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        731⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        732⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        733⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        734⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        735⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        736⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        737⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        738⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        739⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        740⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        741⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        742⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        743⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        744⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        745⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        746⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        747⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        748⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        749⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        750⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        751⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        752⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        753⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        754⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        755⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        756⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        757⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        758⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        759⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        760⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        761⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        762⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        763⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        764⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        765⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        766⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        767⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        768⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        769⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        770⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        771⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        772⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        773⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        774⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        775⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        776⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        777⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        778⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        779⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        780⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        781⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        782⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        783⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        784⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        785⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        786⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        787⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        788⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        789⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        790⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        791⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        792⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        793⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        794⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        795⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        796⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        797⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        798⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        799⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        800⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        801⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        802⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        803⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        804⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        805⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        806⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        807⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        808⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        809⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        810⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        811⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        812⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        813⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        814⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        815⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        816⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        817⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        818⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        819⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        820⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        821⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        822⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        823⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        824⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        825⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        826⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        827⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        828⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        829⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        830⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        831⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        832⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        833⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        834⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        835⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        836⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        837⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        838⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        839⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        840⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        841⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        842⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        843⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        844⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        845⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        846⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        847⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        848⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        849⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        850⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        851⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        852⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        853⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        854⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        855⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        856⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        857⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        858⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        859⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        860⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        861⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        862⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        863⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        864⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        865⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        866⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        867⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        868⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        869⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        870⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        871⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        872⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        873⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        874⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        875⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        876⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        877⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        878⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        879⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        880⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        881⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        882⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        883⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        884⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        885⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        886⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        887⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        888⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        889⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        890⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        891⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        892⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        893⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        894⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        895⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        896⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        897⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        898⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        899⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        900⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        901⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        902⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        903⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        904⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        905⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        906⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        907⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        908⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        909⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        910⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        911⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        912⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        913⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        914⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        915⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        916⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        917⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        918⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        919⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        920⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        921⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        922⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        923⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        924⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        925⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        926⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        927⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        928⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        929⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        930⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        931⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        932⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp169B.tmp.exe"
        933⤵
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86f5d393-c1ba-4de2-a954-b564d1c0fef1.vbs"
        16⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmpE4AE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE4AE.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmpE4AE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE4AE.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmpE4AE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE4AE.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39eaca35-7c8b-40a1-be5b-b723f4d83750.vbs"
        14⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d599098-4e09-4b88-ac3d-92da950257c3.vbs"
        12⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp96CC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp96CC.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp96CC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp96CC.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ebdc4be-668e-4b7c-8e01-db37a485b298.vbs"
        10⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9503d8db-e055-48a9-aebc-9b582bc32dbb.vbs"
        8⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:3688
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb20c5e4-10f9-47b3-8ef9-585f9ecf016c.vbs"
        6⤵
        
        PID:4220
      - C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:2632
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7d65da7-f2db-4cf4-b7aa-fd19d04f713b.vbs"
      4⤵
      PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\tmpF637.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF637.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\tmpF637.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF637.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Reports\de-DE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk-1.8\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk-1.8\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\02156f81-1697-4bd2-8fcc-b07056c350cc.vbs

Filesize
709B

MD5
c37a795f6e700e901fe9adcf84d52885

SHA1
451c853befa933361d11777a06bd161c0958c346

SHA256
d6f2b3f0a1b731bd5b5b756dfd58e7d04958b519eb2b9f37f5641a747cc33d95

SHA512
88e7c3995d6e38c7647c0351689d622e94f9f8d893cd6686ef9ccf81fee4de31ec5fad078db0f467a69bc2404a00d1c93649e056e1849ab3f311729b88266ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\18260dd3-9e7e-4798-945c-0c89f2957501.vbs

Filesize
709B

MD5
2e620d27cbdd8e99498a45595867d387

SHA1
3d122b1959ab01974666a58be5dd27551966b6d8

SHA256
4195cf401c3cc0075eaa1be09632b06e4431247f29d808a0736fdef73be69591

SHA512
fe299a1abd4dffda80172b94edac8e9cbaac22348e7d93ceca5bf66bc459c1b69c109f62997b959c6f3fce9746b8f2408799df14dc73d0a3a7f2cc9839991c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\80c25b1e-0da0-47eb-b29d-8ea1285182e6.vbs

Filesize
709B

MD5
7ebf524a7f0dce966ef6b1833e9a9935

SHA1
2065cbc04b92958972306d92205e17f341a1592c

SHA256
d2ddd441ba00156bacf97402c14baf35acc00a8203bbb410b973f628e602e9e4

SHA512
6f4d911debfef0698fb0f1a6e8954eed712da44049d4930ebf8e2854de5ba98083ca1cb6007eacd1e5f849f230de0e83c0c92e0c9316ce76640c54409c8a3262

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVarqRTQ45.bat

Filesize
198B

MD5
fbde083c41b9c75e0ef1f10babd36967

SHA1
901f97c3e7c78737d96eef8eaf95c07522080303

SHA256
a07c354c28224d085bdcafffb1d07b7d2cee2a366e206e09a2372cdf6e9d91e5

SHA512
515c531626f2e1feaf20af1558e4309056fb5b789ec8183fb124606f00c6ca0293d2df2c52a438585f11ac4ea4da78f40f8480354c0e2befeedb5c8e29457517

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51jrnrzb.kes.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3a01145-9617-4b4e-be9f-f4b5c843101c.vbs

Filesize
708B

MD5
dce190feafd1174fb5cf9e64aa3cf89c

SHA1
568551e5c34faf17bac4ca01ec3e5692b9114589

SHA256
3da808727a894e8d58de22ef68d375fa403ff05b20a3078cdc91af0ace949546

SHA512
b21d674ef281f7c29823d74d230af5ad2cd925a8c21ad06124758c79ad21f714336d29b35b6cfff2adec69481a13c6a38491f919f252639a6bdc06f8aac5ce56

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7d65da7-f2db-4cf4-b7aa-fd19d04f713b.vbs

Filesize
485B

MD5
247011f74d3e77c9f99e32ceefa20b78

SHA1
1d82f0b7105baafa7f16eb989599a0e67418d037

SHA256
d549431ccda9b292b6be172966ebf5d3b3de2f6af95263f3d46bccdf344307bf

SHA512
541cba8d6c8d2390fa1a14d774b9e9404014db7aae6346c4981c4035c3a77cd11d23729923f67bbcd0763071a32e3412ebbf629d358e580b2c996decdb57c305

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94a76ed-f2b2-4c34-b4e1-ed5d5fea7bf2.vbs

Filesize
709B

MD5
781a17d5591f412b56b20a398b71dc27

SHA1
820ce865f7dacc3037bc1f8ab51403476d728c6e

SHA256
7d056eaa234363780ca4b62d39403443d3c0ab3d9fa32e284aba79628e9029e7

SHA512
c8428a523ef37cbf2225f058ee2c2a1d6b1c9301299a9e80b03ffb56e9f98eed610c1b4b14e09c56939b3b8da226063d24309fa38a9d89cf9f33db55935f1072

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbd80c46-8ad1-4fd2-9f52-bf333cb82205.vbs

Filesize
709B

MD5
f8f96768f7689f28d63deda897be1db6

SHA1
4837ec3da6f94dc3ec5236e446f56ce1cb0a8618

SHA256
79aed3361d89b29e24a2efb70ab0361341c7064c9e79eee177d3fe57b3608e91

SHA512
5854d0927623cf0a7ce321fb057e2ba06ded0f713b68045289d220394d7897ca9c9e94852519f6801ed0da28eee1d9a78b11b9ada75bb88060d0bc8a08554eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff86ce9f-90d4-44ec-8294-52486c9cc768.vbs

Filesize
708B

MD5
b28537f63f5e85ff7b727b008ed74b17

SHA1
a26b37333607e8b379b9b3c908db513acc494a62

SHA256
c2230f801c307986b6e328c017889e9f5bbf9827a51b60fe6e4714a5ea04af83

SHA512
3f27878a585483b927d29f54ea142222397bc32343e99e618bc1001007a1aa408a37961377a49bd74fefd740310d21039c13bb42a0a07b0ee0cb778250c7c43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB289.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\PLA\Reports\de-DE\sysmon.exe

Filesize
4.9MB

MD5
0ebd2dc160f7d5627aef291ba8fe1723

SHA1
f19f6aae9588fa548e768924114b4a6ca6021c9e

SHA256
15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5

SHA512
aa5dd361118de60d42e5cb1fec62011cda145d721c04f736d2e27984e7eb478e884bacc5f5ac7b957d3e2786035341d1906886a0eed511ec3e54278e68dbc161

Download Submit
memory/2204-15-0x0000000002E00000-0x0000000002E0E000-memory.dmp

Filesize
56KB

Download
memory/2204-138-0x00007FFD857F3000-0x00007FFD857F5000-memory.dmp

Filesize
8KB

Download
memory/2204-13-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

Filesize
40KB

Download
memory/2204-1-0x0000000000600000-0x0000000000AF4000-memory.dmp

Filesize
5.0MB

Download
memory/2204-11-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

Filesize
72KB

Download
memory/2204-152-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-166-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-10-0x0000000002DC0000-0x0000000002DCA000-memory.dmp

Filesize
40KB

Download
memory/2204-2-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-12-0x000000001C5D0000-0x000000001CAF8000-memory.dmp

Filesize
5.2MB

Download
memory/2204-14-0x0000000002DF0000-0x0000000002DFE000-memory.dmp

Filesize
56KB

Download
memory/2204-17-0x0000000002E20000-0x0000000002E28000-memory.dmp

Filesize
32KB

Download
memory/2204-0-0x00007FFD857F3000-0x00007FFD857F5000-memory.dmp

Filesize
8KB

Download
memory/2204-16-0x0000000002E10000-0x0000000002E18000-memory.dmp

Filesize
32KB

Download
memory/2204-18-0x000000001C1A0000-0x000000001C1AC000-memory.dmp

Filesize
48KB

Download
memory/2204-6-0x00000000014A0000-0x00000000014A8000-memory.dmp

Filesize
32KB

Download
memory/2204-8-0x00000000014F0000-0x0000000001506000-memory.dmp

Filesize
88KB

Download
memory/2204-9-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/2204-7-0x00000000014B0000-0x00000000014C0000-memory.dmp

Filesize
64KB

Download
memory/2204-5-0x0000000002E40000-0x0000000002E90000-memory.dmp

Filesize
320KB

Download
memory/2204-4-0x0000000001480000-0x000000000149C000-memory.dmp

Filesize
112KB

Download
memory/2204-3-0x000000001B970000-0x000000001BA9E000-memory.dmp

Filesize
1.2MB

Download
memory/3688-185-0x0000021AC7F20000-0x0000021AC7F42000-memory.dmp

Filesize
136KB

Download
memory/4316-458-0x000000001C1E0000-0x000000001C1F2000-memory.dmp

Filesize
72KB

Download
memory/4388-69-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download