colibri | 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Size

4.9MB
MD5

bc6d8c1824fbce3832a86042be6ce8ec
SHA1

5c750a20d9ddeb5be64ba89d220a8657adbce18b
SHA256

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30
SHA512

abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3536	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3536	schtasks.exe	82

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.exe456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4264-3-0x000000001BEF0000-0x000000001C01E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4628	powershell.exe
1888	powershell.exe
3312	powershell.exe
2528	powershell.exe
1480	powershell.exe
2208	powershell.exe
1964	powershell.exe
4428	powershell.exe
3512	powershell.exe
4460	powershell.exe
2680	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 64 IoCs

Processes:

tmp80FA.tmp.exetmp80FA.tmp.execsrss.exetmpB97C.tmp.exetmpB97C.tmp.exetmpB97C.tmp.execsrss.exetmpD745.tmp.exetmpD745.tmp.execsrss.exetmpF472.tmp.exetmpF472.tmp.exetmpF472.tmp.execsrss.exetmp2594.tmp.exetmp2594.tmp.execsrss.exetmp56C6.tmp.exetmp56C6.tmp.execsrss.exetmp8911.tmp.exetmp8911.tmp.exetmp8911.tmp.execsrss.exetmpBB4C.tmp.exetmpBB4C.tmp.execsrss.exetmpEEA1.tmp.exetmpEEA1.tmp.execsrss.exetmp2021.tmp.exetmp2021.tmp.exetmp2021.tmp.execsrss.execsrss.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exe

pid	Process
4128	tmp80FA.tmp.exe
1532	tmp80FA.tmp.exe
3692	csrss.exe
3172	tmpB97C.tmp.exe
1924	tmpB97C.tmp.exe
4072	tmpB97C.tmp.exe
4640	csrss.exe
3816	tmpD745.tmp.exe
4312	tmpD745.tmp.exe
2144	csrss.exe
4284	tmpF472.tmp.exe
2100	tmpF472.tmp.exe
4852	tmpF472.tmp.exe
4904	csrss.exe
3624	tmp2594.tmp.exe
5044	tmp2594.tmp.exe
760	csrss.exe
4640	tmp56C6.tmp.exe
3108	tmp56C6.tmp.exe
1136	csrss.exe
628	tmp8911.tmp.exe
4184	tmp8911.tmp.exe
4128	tmp8911.tmp.exe
1932	csrss.exe
3624	tmpBB4C.tmp.exe
1492	tmpBB4C.tmp.exe
2864	csrss.exe
988	tmpEEA1.tmp.exe
1132	tmpEEA1.tmp.exe
2428	csrss.exe
2772	tmp2021.tmp.exe
2144	tmp2021.tmp.exe
4984	tmp2021.tmp.exe
3984	csrss.exe
3424	csrss.exe
4224	tmp5A7A.tmp.exe
2296	tmp5A7A.tmp.exe
3468	tmp5A7A.tmp.exe
5024	tmp5A7A.tmp.exe
3652	tmp5A7A.tmp.exe
4176	tmp5A7A.tmp.exe
4412	tmp5A7A.tmp.exe
1080	tmp5A7A.tmp.exe
5088	tmp5A7A.tmp.exe
4908	tmp5A7A.tmp.exe
1960	tmp5A7A.tmp.exe
4292	tmp5A7A.tmp.exe
3432	tmp5A7A.tmp.exe
3268	tmp5A7A.tmp.exe
1132	tmp5A7A.tmp.exe
392	tmp5A7A.tmp.exe
4120	tmp5A7A.tmp.exe
3600	tmp5A7A.tmp.exe
2244	tmp5A7A.tmp.exe
1128	tmp5A7A.tmp.exe
4800	tmp5A7A.tmp.exe
2208	tmp5A7A.tmp.exe
2100	tmp5A7A.tmp.exe
1268	tmp5A7A.tmp.exe
4184	tmp5A7A.tmp.exe
2260	tmp5A7A.tmp.exe
1972	tmp5A7A.tmp.exe
876	tmp5A7A.tmp.exe
2844	tmp5A7A.tmp.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmp80FA.tmp.exetmpB97C.tmp.exetmpD745.tmp.exetmpF472.tmp.exetmp2594.tmp.exetmp56C6.tmp.exetmp8911.tmp.exetmpBB4C.tmp.exetmpEEA1.tmp.exetmp2021.tmp.exetmp8B10.tmp.exe

description	pid	Process	procid_target
PID 4128 set thread context of 1532	4128	tmp80FA.tmp.exe	115
PID 1924 set thread context of 4072	1924	tmpB97C.tmp.exe	147
PID 3816 set thread context of 4312	3816	tmpD745.tmp.exe	159
PID 2100 set thread context of 4852	2100	tmpF472.tmp.exe	167
PID 3624 set thread context of 5044	3624	tmp2594.tmp.exe	174
PID 4640 set thread context of 3108	4640	tmp56C6.tmp.exe	180
PID 4184 set thread context of 4128	4184	tmp8911.tmp.exe	187
PID 3624 set thread context of 1492	3624	tmpBB4C.tmp.exe	193
PID 988 set thread context of 1132	988	tmpEEA1.tmp.exe	199
PID 2144 set thread context of 4984	2144	tmp2021.tmp.exe	206
PID 4520 set thread context of 2508	4520	tmp8B10.tmp.exe	713

Drops file in Program Files directory 9 IoCs

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\886983d96e3d3e	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\27d1bcfc3c54e0	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCX8999.tmp	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX9043.tmp	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files\ModifiableWindowsApps\Registry.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

Drops file in Windows directory 5 IoCs

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

description	ioc	Process
File created	C:\Windows\fr-FR\c5b4cb5e9653cc	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Windows\rescache\_merged\1691975690\unsecapp.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Windows\fr-FR\RCX7E68.tmp	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Windows\fr-FR\services.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Windows\fr-FR\services.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmpB97C.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exetmp5A7A.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB97C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A7A.tmp.exe

Modifies registry class 14 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
4136	schtasks.exe
3460	schtasks.exe
4104	schtasks.exe
4532	schtasks.exe
4900	schtasks.exe
1496	schtasks.exe
4812	schtasks.exe
5064	schtasks.exe
1148	schtasks.exe
2628	schtasks.exe
2684	schtasks.exe
2948	schtasks.exe
700	schtasks.exe
3848	schtasks.exe
2404	schtasks.exe
4928	schtasks.exe
988	schtasks.exe
3952	schtasks.exe
4040	schtasks.exe
3532	schtasks.exe
464	schtasks.exe
452	schtasks.exe
3340	schtasks.exe
2436	schtasks.exe
1976	schtasks.exe
2968	schtasks.exe
4196	schtasks.exe
3604	schtasks.exe
3576	schtasks.exe
5112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
1480	powershell.exe
1480	powershell.exe
2680	powershell.exe
2680	powershell.exe
1888	powershell.exe
1888	powershell.exe
2208	powershell.exe
2208	powershell.exe
3312	powershell.exe
3312	powershell.exe
3512	powershell.exe
3512	powershell.exe
1964	powershell.exe
1964	powershell.exe
2528	powershell.exe
2528	powershell.exe
4628	powershell.exe
4628	powershell.exe
4460	powershell.exe
4460	powershell.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
3312	powershell.exe
2208	powershell.exe
1480	powershell.exe
2680	powershell.exe
4460	powershell.exe
1964	powershell.exe
1888	powershell.exe
3512	powershell.exe
4628	powershell.exe
2528	powershell.exe
3692	csrss.exe
4640	csrss.exe
2144	csrss.exe
4904	csrss.exe
760	csrss.exe
1136	csrss.exe
1932	csrss.exe
2864	csrss.exe
2428	csrss.exe
3984	csrss.exe
3424	csrss.exe
1872	csrss.exe
5028	csrss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	3692	csrss.exe
Token: SeDebugPrivilege	4640	csrss.exe
Token: SeDebugPrivilege	2144	csrss.exe
Token: SeDebugPrivilege	4904	csrss.exe
Token: SeDebugPrivilege	760	csrss.exe
Token: SeDebugPrivilege	1136	csrss.exe
Token: SeDebugPrivilege	1932	csrss.exe
Token: SeDebugPrivilege	2864	csrss.exe
Token: SeDebugPrivilege	2428	csrss.exe
Token: SeDebugPrivilege	3984	csrss.exe
Token: SeDebugPrivilege	3424	csrss.exe
Token: SeDebugPrivilege	1872	csrss.exe
Token: SeDebugPrivilege	5028	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exetmp80FA.tmp.execmd.execsrss.exetmpB97C.tmp.exetmpB97C.tmp.exeWScript.execsrss.exe

description	pid	Process	procid_target
PID 4264 wrote to memory of 4128	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	113
PID 4264 wrote to memory of 4128	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	113
PID 4264 wrote to memory of 4128	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	113
PID 4128 wrote to memory of 1532	4128	tmp80FA.tmp.exe	115
PID 4128 wrote to memory of 1532	4128	tmp80FA.tmp.exe	115
PID 4128 wrote to memory of 1532	4128	tmp80FA.tmp.exe	115
PID 4128 wrote to memory of 1532	4128	tmp80FA.tmp.exe	115
PID 4128 wrote to memory of 1532	4128	tmp80FA.tmp.exe	115
PID 4128 wrote to memory of 1532	4128	tmp80FA.tmp.exe	115
PID 4128 wrote to memory of 1532	4128	tmp80FA.tmp.exe	115
PID 4264 wrote to memory of 4628	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	116
PID 4264 wrote to memory of 4628	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	116
PID 4264 wrote to memory of 1480	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	117
PID 4264 wrote to memory of 1480	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	117
PID 4264 wrote to memory of 4428	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	118
PID 4264 wrote to memory of 4428	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	118
PID 4264 wrote to memory of 1888	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	119
PID 4264 wrote to memory of 1888	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	119
PID 4264 wrote to memory of 1964	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	120
PID 4264 wrote to memory of 1964	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	120
PID 4264 wrote to memory of 2208	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	121
PID 4264 wrote to memory of 2208	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	121
PID 4264 wrote to memory of 2528	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	122
PID 4264 wrote to memory of 2528	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	122
PID 4264 wrote to memory of 2680	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	124
PID 4264 wrote to memory of 2680	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	124
PID 4264 wrote to memory of 4460	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	125
PID 4264 wrote to memory of 4460	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	125
PID 4264 wrote to memory of 3512	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	126
PID 4264 wrote to memory of 3512	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	126
PID 4264 wrote to memory of 3312	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	127
PID 4264 wrote to memory of 3312	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	127
PID 4264 wrote to memory of 4384	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	138
PID 4264 wrote to memory of 4384	4264	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	138
PID 4384 wrote to memory of 1956	4384	cmd.exe	140
PID 4384 wrote to memory of 1956	4384	cmd.exe	140
PID 4384 wrote to memory of 3692	4384	cmd.exe	141
PID 4384 wrote to memory of 3692	4384	cmd.exe	141
PID 3692 wrote to memory of 2244	3692	csrss.exe	142
PID 3692 wrote to memory of 2244	3692	csrss.exe	142
PID 3692 wrote to memory of 4848	3692	csrss.exe	143
PID 3692 wrote to memory of 4848	3692	csrss.exe	143
PID 3692 wrote to memory of 3172	3692	csrss.exe	144
PID 3692 wrote to memory of 3172	3692	csrss.exe	144
PID 3692 wrote to memory of 3172	3692	csrss.exe	144
PID 3172 wrote to memory of 1924	3172	tmpB97C.tmp.exe	146
PID 3172 wrote to memory of 1924	3172	tmpB97C.tmp.exe	146
PID 3172 wrote to memory of 1924	3172	tmpB97C.tmp.exe	146
PID 1924 wrote to memory of 4072	1924	tmpB97C.tmp.exe	147
PID 1924 wrote to memory of 4072	1924	tmpB97C.tmp.exe	147
PID 1924 wrote to memory of 4072	1924	tmpB97C.tmp.exe	147
PID 1924 wrote to memory of 4072	1924	tmpB97C.tmp.exe	147
PID 1924 wrote to memory of 4072	1924	tmpB97C.tmp.exe	147
PID 1924 wrote to memory of 4072	1924	tmpB97C.tmp.exe	147
PID 1924 wrote to memory of 4072	1924	tmpB97C.tmp.exe	147
PID 2244 wrote to memory of 4640	2244	WScript.exe	151
PID 2244 wrote to memory of 4640	2244	WScript.exe	151
PID 4640 wrote to memory of 1260	4640	csrss.exe	153
PID 4640 wrote to memory of 1260	4640	csrss.exe	153
PID 4640 wrote to memory of 3804	4640	csrss.exe	154
PID 4640 wrote to memory of 3804	4640	csrss.exe	154
PID 4640 wrote to memory of 3816	4640	csrss.exe	155
PID 4640 wrote to memory of 3816	4640	csrss.exe	155
PID 4640 wrote to memory of 3816	4640	csrss.exe	155

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
"C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4264
- C:\Users\Admin\AppData\Local\Temp\tmp80FA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp80FA.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\tmp80FA.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp80FA.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rPqPN6FzPk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1956
- - C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
    "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c29474-8865-46b5-bc30-6c80843e2d11.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ca635f-25d5-4326-a47f-45c520dea108.vbs"
        6⤵
        
        PID:1260
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54ca4250-6edf-41cf-b7d3-554be0beeeb8.vbs"
        8⤵
        
        PID:2860
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\168a5b1f-9733-4ed0-b425-985e28ac3527.vbs"
        10⤵
        
        PID:5108
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1cbce6f-a55e-49ec-b509-9b04840942ba.vbs"
        12⤵
        
        PID:1416
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bfb9fdc-1ce7-47dc-af60-648dee3552b7.vbs"
        14⤵
        
        PID:1520
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74518baf-de2e-4ef2-aaf3-eace54d45c91.vbs"
        16⤵
        
        PID:4364
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6011cfcb-c8c5-4b85-aa34-a20aa71cf58c.vbs"
        18⤵
        
        PID:1612
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7605bbe6-dd8f-4595-899b-d81d7d713912.vbs"
        20⤵
        
        PID:3056
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a88a48ef-df35-4509-b021-dcacf9c3ad57.vbs"
        22⤵
        
        PID:4868
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd238674-335b-4935-9879-644f7f89c67d.vbs"
        24⤵
        
        PID:4860
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76f9d12c-ccb6-4599-a1d7-3d80a5b32947.vbs"
        26⤵
        
        PID:2924
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de30d02b-6444-443c-bd32-25121caa1ef7.vbs"
        28⤵
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aff6a00-6380-4be0-9608-7b00ac4629ac.vbs"
        28⤵
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b6f3e9-7b7a-45de-bce2-a155fd22d885.vbs"
        26⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp.exe"
        26⤵
        Suspicious use of SetThreadContext
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp.exe"
        27⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1852448-fe74-439e-8fcf-411d2623d93c.vbs"
        24⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        35⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        37⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        38⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        39⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        40⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        42⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        43⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        44⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        45⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        46⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        47⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        48⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        49⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        50⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        51⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        52⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        53⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        54⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        55⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        56⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        57⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        58⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        59⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        60⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        61⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        62⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        63⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        64⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        65⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        66⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        67⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        68⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        69⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        70⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        71⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        72⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        73⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        74⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        75⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        76⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        77⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        78⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        79⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        80⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        81⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        82⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        83⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        84⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        85⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        86⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        87⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        88⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        90⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        91⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        92⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        93⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        94⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        95⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        96⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        97⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        98⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        99⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        102⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        103⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        104⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        105⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        106⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        107⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        108⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        109⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        110⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        111⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        112⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        113⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        114⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        115⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        116⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        117⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        118⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        119⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        120⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        121⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        122⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        123⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        124⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        125⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        126⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        127⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        128⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        129⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        130⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        131⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        132⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        133⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        134⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        135⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        136⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        137⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        138⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        139⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        140⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        143⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        144⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        145⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        146⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        147⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        148⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        149⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        150⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        151⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        152⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        153⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        154⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        155⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        157⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        158⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        159⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        160⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        161⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        162⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        163⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        164⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        165⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        166⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        167⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        168⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        169⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        170⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        171⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        172⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        173⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        174⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        175⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        176⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        177⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        178⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        179⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        180⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        181⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        183⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        184⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        185⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        186⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        187⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        188⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        189⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        190⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        191⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        192⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        193⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        195⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        196⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        197⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        198⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        199⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        200⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        201⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        202⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        203⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        204⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        205⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        206⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        207⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        208⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        209⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        210⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        211⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        212⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        213⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        214⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        215⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        216⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        217⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        218⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        219⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        221⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        222⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        223⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        225⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        226⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        227⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        228⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        229⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        230⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        231⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        232⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        233⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        234⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        235⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        236⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        238⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        239⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        240⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        241⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        243⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        244⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        245⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        246⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        247⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        248⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        249⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        250⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        251⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        252⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        253⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        256⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        257⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        258⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        259⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        260⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        261⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        262⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        263⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        264⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        265⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        266⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        267⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        268⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        269⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        270⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        271⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        272⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        273⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        274⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        275⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        276⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        277⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        279⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        281⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        282⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        283⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        284⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        285⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        286⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        287⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        288⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        289⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        290⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        291⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        293⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        294⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        295⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        296⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        297⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        298⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        299⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        300⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        301⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        302⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        303⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        304⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        305⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        306⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        307⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        308⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        309⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        310⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        311⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        312⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        313⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        314⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        315⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        316⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        317⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        318⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        319⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        320⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        321⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        322⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        323⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        324⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        325⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        326⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        327⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        328⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        329⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        330⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        332⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        333⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        334⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        335⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        336⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        337⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        338⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        339⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        340⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        341⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        342⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        343⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        344⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        345⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        346⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        347⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        348⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        349⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        350⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        351⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        352⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        353⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        354⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        355⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        356⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        357⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        358⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        359⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        360⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        361⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        362⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        363⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        364⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        365⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        366⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        367⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        368⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        369⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        370⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        371⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        372⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        373⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        374⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        375⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        376⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        377⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        378⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        379⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        380⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        381⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        382⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        383⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        385⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        386⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        387⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        388⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        389⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        390⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        391⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        392⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        393⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        394⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        395⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        396⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        397⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        398⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        399⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        400⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        401⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        402⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        403⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        404⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        405⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        406⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        407⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        408⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        409⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        410⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        411⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        412⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        413⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        414⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        415⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        416⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        417⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        418⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        419⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        420⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        422⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        423⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        424⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        425⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        426⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        427⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        428⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        429⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        430⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        431⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        432⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        433⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        434⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        435⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        436⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        437⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        438⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        439⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        440⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        441⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        442⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        443⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        444⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        445⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        446⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        447⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        448⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        449⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        450⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        451⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        452⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        453⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        454⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        455⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        456⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        457⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        458⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        459⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        460⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        461⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        462⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        463⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        464⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        465⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        466⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        467⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        468⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        469⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        470⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        471⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        472⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        473⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        474⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        475⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        476⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        477⤵
        System Location Discovery: System Language Discovery
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        478⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        479⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        480⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        481⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        482⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        483⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        484⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        485⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        486⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        487⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        488⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        489⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        490⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        491⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        492⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        493⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        494⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        495⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        496⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        497⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        498⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        499⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        500⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        501⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        502⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        503⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        504⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        505⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        506⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        507⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        508⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        509⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        510⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        511⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        512⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        513⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        514⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        515⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        516⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        517⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        518⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        519⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        520⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        521⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        522⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        523⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        524⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        525⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        526⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        527⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        528⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        529⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        530⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        531⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        532⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        533⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        534⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        535⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        536⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        537⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        538⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        539⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        540⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        541⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        542⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        543⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        544⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        545⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        546⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        547⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        548⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        549⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        550⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        551⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        552⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        553⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        554⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        555⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        556⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        557⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        558⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        559⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        560⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        561⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        562⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        563⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        564⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        565⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        566⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        567⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        568⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        569⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        570⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        571⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        572⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        573⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        574⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        575⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        576⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        577⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        578⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        579⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        580⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        581⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        582⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        583⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        584⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        585⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        586⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        587⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        588⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        589⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        590⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        591⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        592⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        593⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        594⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        595⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        596⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        597⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        598⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        599⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        600⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        601⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        602⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        603⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        604⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        605⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        606⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        607⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        608⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        609⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        610⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        611⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        612⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        613⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        614⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        615⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        616⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        617⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        618⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        619⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        620⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        621⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        622⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        623⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        624⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        625⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        626⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        627⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        628⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        629⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        630⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        631⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        632⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        633⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        634⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        635⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        636⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        637⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        638⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        639⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        640⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        641⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        642⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        643⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        644⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        645⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        646⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        647⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        648⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        649⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        650⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        651⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        652⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        653⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        654⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        655⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        656⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        657⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        658⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        659⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        660⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        661⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        662⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        663⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        664⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        665⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        666⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        667⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        668⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        669⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        670⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        671⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        672⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        673⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        674⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        675⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        676⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        677⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        678⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        679⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        680⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        681⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        682⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        683⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        684⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        685⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        686⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        687⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        688⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        689⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        690⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        691⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        692⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        693⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        694⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        695⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        696⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        697⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        698⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        699⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        700⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        701⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        702⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        703⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        704⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        705⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        706⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        707⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        708⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        709⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        710⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        711⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        712⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        713⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        714⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        715⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        716⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        717⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        718⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        719⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        720⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        721⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        722⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        723⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        724⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        725⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        726⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        727⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        728⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        729⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        730⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        731⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        732⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        733⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        734⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        735⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        736⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        737⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        738⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        739⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        740⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        741⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        742⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        743⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        744⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        745⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        746⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        747⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        748⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        749⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        750⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        751⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        752⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        753⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        754⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        755⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        756⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        757⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        758⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        759⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        760⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        761⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        762⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        763⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        764⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        765⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        766⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        767⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        768⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        769⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        770⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        771⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        772⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        773⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        774⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        775⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        776⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        777⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        778⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        779⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        780⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        781⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        782⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        783⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        784⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        785⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        786⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        787⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        788⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        789⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        790⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        791⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        792⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        793⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        794⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        795⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        796⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        797⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        798⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        799⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        800⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        801⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        802⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        803⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        804⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        805⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        806⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        807⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        808⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        809⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        810⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        811⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        812⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        813⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        814⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        815⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        816⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        817⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        818⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        819⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        820⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        821⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        822⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        823⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        824⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        825⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        826⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        827⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        828⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        829⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        830⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        831⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        832⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        833⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        834⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        835⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        836⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        837⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        838⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        839⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        840⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        841⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        842⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        843⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        844⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        845⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        846⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        847⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        848⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        849⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        850⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        851⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        852⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        853⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        854⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        855⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        856⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        857⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        858⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        859⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        860⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        861⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        862⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        863⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        864⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        865⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        866⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        867⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        868⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        869⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        870⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        871⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        872⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        873⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        874⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        875⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        876⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        877⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        878⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        879⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        880⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        881⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        882⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        883⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        884⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        885⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        886⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        887⤵
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        888⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        889⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        890⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        891⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        892⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        893⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        894⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        895⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        896⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        897⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        898⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        899⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        900⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        901⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        902⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        903⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        904⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        905⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        906⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        907⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        908⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        909⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        910⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        911⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        912⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        913⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        914⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        915⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        916⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        917⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        918⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        919⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        920⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        921⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        922⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        923⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        924⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        925⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        926⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        927⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        928⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        929⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        930⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        931⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        932⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        933⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        934⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        935⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        936⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        937⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A7A.tmp.exe"
        938⤵
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\753e71b8-8d5c-4a91-8e9d-f81608dae5ef.vbs"
        22⤵
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8df27ca2-7853-4b1f-b329-5ca5f9fe8541.vbs"
        20⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73fd4585-099e-47f3-a8ef-2ffac5a4b17d.vbs"
        18⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmpEEA1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEEA1.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmpEEA1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEEA1.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eacd13e5-bb4d-4d83-9655-ea8cc4e9c08f.vbs"
        16⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0beefa9a-aaee-48fd-b800-24eb9dfe6a6c.vbs"
        14⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp8911.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8911.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp8911.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8911.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp8911.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8911.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\530af704-f6ac-4d63-b0df-dea1830e44dc.vbs"
        12⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp56C6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp56C6.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp56C6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp56C6.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a10083-0e39-43cb-bb3c-3cbacfcf7012.vbs"
        10⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmp2594.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2594.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp2594.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2594.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a44211fd-c808-43e6-87ea-f744fca770c5.vbs"
        8⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4852
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3db83c10-f5e8-4122-b489-33be41ed2248.vbs"
        6⤵
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4312
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e562ebd6-ee08-4e5d-853c-de01930de8e5.vbs"
      4⤵
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a5e1f1efff867a822c6a57ee928dd66

SHA1
b017854d8a1deb05f1447e9dd6002902fb66bf6b

SHA256
8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957

SHA512
25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5409e8a41cf075d472a1d88416461afb

SHA1
f8db83b44f21c8e21348845d538e2c99107c1dff

SHA256
7f1d12b28e13fdd8cba3f75fb8bda4113a59767876fe59c0c06f31ec872ffa9f

SHA512
20406f0b0f65a3e85c61f33e39139b8b991dbeac0abe57bc77552612007c3a7a0c5a07bafccccae65d53535e37b32854b886ce06a1759eafce91311a43a879af

Download Submit
C:\Users\Admin\AppData\Local\Temp\15ca635f-25d5-4326-a47f-45c520dea108.vbs

Filesize
732B

MD5
64a47d4bea11106830e82c1b25efb054

SHA1
c9f0ae711f50f6c511b9c05d3a62bb5eba43d566

SHA256
fc269798eacfd84e12cecc6d21f4676f516b17487a4d386ddc58585160404c0b

SHA512
554d3ed6a252a78147851583ebac315bcb7c4e2f75ee03765b626aa5b437f329e2b9aa9391e3ce2bce3b3d7546fedb85133dfaec0b8c49cc67e8ab45bb52e463

Download Submit
C:\Users\Admin\AppData\Local\Temp\168a5b1f-9733-4ed0-b425-985e28ac3527.vbs

Filesize
732B

MD5
69bafff4a913f83f793746aad161f67c

SHA1
03018f0307471866b61bbe52227d03dbebb9f151

SHA256
917f2a5723cff032c4bb649a63e36a10f686272d45da6fa863b6e82c5ef11cfb

SHA512
61c396b5fcffe27e2681b2dbdb9843d7265d70270e340052bea057cc0b012f6828e512947082bdb17848896dcfd5b0b2acf3c9346ab938c8e72fc09ae1e67fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bfb9fdc-1ce7-47dc-af60-648dee3552b7.vbs

Filesize
732B

MD5
c193cc3f49cdc9de94ec416602a31ac5

SHA1
26647e610b8981bd1c859f6171c6e700352d6971

SHA256
e6ce78014ae9e1a145ec199f1563842ab3cf0a4447487bf691c5ed578479d9d3

SHA512
142f2b2a23ff107f4441588c655add4d658d8b1c59002dfef638eaadaf94c923c76b83741a64cc5ed3b0ecf19f39ce4fccac21a3df5062d0422118ece417b79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\54ca4250-6edf-41cf-b7d3-554be0beeeb8.vbs

Filesize
732B

MD5
8e95de9fc2eac0fe8398732a45a81ee5

SHA1
cb43042c22ddb8929478a397e6f044057a8d4ef1

SHA256
8875019ba0a2fcf51e72242613c60af6b1330b2965eb41220c7ce83da408e9c8

SHA512
fdb11d39ffab40a1b32f2f7a5979a10f0f68e5c540e2ec9671985b0843cafaaaaf3b95311f70920e68641b74f09c35ac862f38bec70abea6d0c61b82a78b139f

Download Submit
C:\Users\Admin\AppData\Local\Temp\74518baf-de2e-4ef2-aaf3-eace54d45c91.vbs

Filesize
732B

MD5
c863ec02004538eb04435b29e9be6f69

SHA1
4de9258a6e80256e936aec2974a3c2fb03005065

SHA256
57eb0e0cd1b5e25675e72e810ea14d94d16e49f9e93abe24e4b2496bfdd373dd

SHA512
8bf54889f1518dba58c08cf922d85eab049e2af10360ac0ea8b52fbdd34b920f5d8eee505ac615bc426de218a3c90eadc2d8210469c48890ae2c3635791dfad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhofp3rx.pba.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9c29474-8865-46b5-bc30-6c80843e2d11.vbs

Filesize
732B

MD5
31d62ded9c6dd3ec0f41fcc432e3275a

SHA1
a79f8341ec6d127a7758b8a91401755a37f31fb8

SHA256
6a36e68deadd3caea8b4335ba52f99d9212a55e2920c61c9179ba3df3ea3574e

SHA512
ddfd1380c16f5d9c63c60cf000ee3b9b86060f46fae6a4e0cb343cf5bdbecb6146452c09a7bf67ad375af7c5aa6d2f18229332916ce03ffa88a6eb16b8305a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1cbce6f-a55e-49ec-b509-9b04840942ba.vbs

Filesize
731B

MD5
520f190c98b32833f9bad78ad2836a61

SHA1
ccd92cb806b8799b940922e2a4256e3482f9cb73

SHA256
b1076137bb90478110f584fbc079b21cfa66bab5242be393ec0767cd3bbe06cf

SHA512
8165ecea4a23726964415bafa5d8d6ca4b069329633bc90b26d21dfdbed4344fafea004058da56a6dbfd1bb65e2730a107fb32c6510b5ccaeb2b8e84e5cb369f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e562ebd6-ee08-4e5d-853c-de01930de8e5.vbs

Filesize
508B

MD5
05544987fe2959acc5d92431ef5c53cf

SHA1
644a6e23a64e54ccbf6edb0c28e2a0c56d989d41

SHA256
4dbc90397d5f01e8321f723108ad740db39e5a9f6c54e97fed55aebd184336c2

SHA512
8be5a14cdda7d6bb70eeaefe519e3e9741f6653726d88320aadfeeb83a73638d044e63f0e300ec64c024c105089b0b69916aa3a058cce99092bdbd8e9cd2917c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPqPN6FzPk.bat

Filesize
221B

MD5
80e5c3b69df4e63ba0f10e99e36556c5

SHA1
4a15e9e2b510a94a91047b4ccb042f80c8f78580

SHA256
8bb855abe477b42d7b145c45d9ae75e15c520a32131e6d32e15a0a8b6776762c

SHA512
52924e240a34e0e2c4eff69ef0021a041360cf8b04dd41396070963d84506c9a60b2e242b98e5a646a2ccc14ff12d48485a2328db3bcb9971b13554008f33712

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80FA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\Saved Games\csrss.exe

Filesize
4.9MB

MD5
bc6d8c1824fbce3832a86042be6ce8ec

SHA1
5c750a20d9ddeb5be64ba89d220a8657adbce18b

SHA256
456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

SHA512
abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292

Download Submit
memory/1480-230-0x000001697B490000-0x000001697B5DE000-memory.dmp

Filesize
1.3MB

Download
memory/1532-65-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1888-257-0x000001EC29F40000-0x000001EC2A08E000-memory.dmp

Filesize
1.3MB

Download
memory/1964-235-0x000001D719E20000-0x000001D719F6E000-memory.dmp

Filesize
1.3MB

Download
memory/2144-313-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/2208-226-0x000001B7F8950000-0x000001B7F8A9E000-memory.dmp

Filesize
1.3MB

Download
memory/2528-250-0x0000014F43DB0000-0x0000014F43EFE000-memory.dmp

Filesize
1.3MB

Download
memory/2680-124-0x0000019A294D0000-0x0000019A294F2000-memory.dmp

Filesize
136KB

Download
memory/2680-238-0x0000019A41720000-0x0000019A4186E000-memory.dmp

Filesize
1.3MB

Download
memory/3312-253-0x00000122B7A30000-0x00000122B7B7E000-memory.dmp

Filesize
1.3MB

Download
memory/3512-241-0x0000014A73270000-0x0000014A733BE000-memory.dmp

Filesize
1.3MB

Download
memory/3692-287-0x000000001DD00000-0x000000001DE02000-memory.dmp

Filesize
1.0MB

Download
memory/3692-261-0x000000001D890000-0x000000001D8A2000-memory.dmp

Filesize
72KB

Download
memory/4264-11-0x000000001C580000-0x000000001C592000-memory.dmp

Filesize
72KB

Download
memory/4264-18-0x000000001C630000-0x000000001C63C000-memory.dmp

Filesize
48KB

Download
memory/4264-14-0x000000001C5A0000-0x000000001C5AE000-memory.dmp

Filesize
56KB

Download
memory/4264-15-0x000000001C600000-0x000000001C60E000-memory.dmp

Filesize
56KB

Download
memory/4264-0-0x00007FF868443000-0x00007FF868445000-memory.dmp

Filesize
8KB

Download
memory/4264-12-0x000000001CB30000-0x000000001D058000-memory.dmp

Filesize
5.2MB

Download
memory/4264-13-0x000000001C590000-0x000000001C59A000-memory.dmp

Filesize
40KB

Download
memory/4264-16-0x000000001C610000-0x000000001C618000-memory.dmp

Filesize
32KB

Download
memory/4264-2-0x00007FF868440000-0x00007FF868F01000-memory.dmp

Filesize
10.8MB

Download
memory/4264-1-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/4264-10-0x000000001BED0000-0x000000001BEDA000-memory.dmp

Filesize
40KB

Download
memory/4264-3-0x000000001BEF0000-0x000000001C01E000-memory.dmp

Filesize
1.2MB

Download
memory/4264-8-0x000000001C560000-0x000000001C576000-memory.dmp

Filesize
88KB

Download
memory/4264-9-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/4264-17-0x000000001C620000-0x000000001C628000-memory.dmp

Filesize
32KB

Download
memory/4264-6-0x00000000031B0000-0x00000000031B8000-memory.dmp

Filesize
32KB

Download
memory/4264-7-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/4264-122-0x00007FF868440000-0x00007FF868F01000-memory.dmp

Filesize
10.8MB

Download
memory/4264-5-0x000000001C5B0000-0x000000001C600000-memory.dmp

Filesize
320KB

Download
memory/4264-4-0x0000000003190000-0x00000000031AC000-memory.dmp

Filesize
112KB

Download
memory/4428-256-0x000001E8E1340000-0x000001E8E148E000-memory.dmp

Filesize
1.3MB

Download
memory/4460-247-0x0000014356890000-0x00000143569DE000-memory.dmp

Filesize
1.3MB

Download
memory/4628-244-0x000002C24B4D0000-0x000002C24B61E000-memory.dmp

Filesize
1.3MB

Download