expiro | b42e2e1b731cca1c71a42ac0f2db617f7697668d87a29b71895f7700c24d1743

Analysis

max time kernel
73s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Size

828KB
MD5

00d0ecabb7335657bea410a4b836655a
SHA1

64fa1f27143e13c07a123840d7e43a4a3ed225eb
SHA256

3983beae2740353b08753a433beec30565e33b61fc4cd182df699070ef5723be
SHA512

ee14339bd9bfd09ad24da3dce32711b90e137f0ffc0e9e383b8cfd268b792721c150fd2d7040fcf4c6b2fe76771d997a51e4be644eb69a674dfbf36b0e871267
SSDEEP

24576:jObQYeKlnLiOzk3J8XszmzVTGRF3LKB2qO9pRpCBP:ybxtIFAn40k95C

Score

10^/10

expiro backdoor discovery

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 64 IoCs

backdoor

resource	yara_rule
behavioral2/memory/212-24-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1528-25-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1056-31-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1504-33-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4960-26-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3416-45-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1612-44-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/5044-43-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/2392-46-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4560-54-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4960-53-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1528-49-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3944-57-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4212-56-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1056-59-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1504-64-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/536-87-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3852-78-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3476-73-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4560-106-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3944-110-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/756-99-0x0000000140000000-0x000000014037F000-memory.dmp	family_expiro1
behavioral2/memory/4512-98-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3416-97-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1508-111-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/2296-117-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3020-116-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/704-129-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1632-134-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/536-133-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1432-128-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3516-124-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/5016-123-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4512-138-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1676-145-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3944-143-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3372-152-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4444-160-0x0000000140000000-0x0000000140376000-memory.dmp	family_expiro1
behavioral2/memory/2296-159-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1716-158-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1508-156-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3588-155-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1028-154-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3516-165-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/704-168-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4168-166-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3516-172-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4492-174-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3668-173-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/220-171-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1632-170-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3668-176-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/5068-179-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1932-184-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/2092-183-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1676-178-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/1676-180-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/5084-187-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4436-186-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/3588-185-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/2128-192-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4444-190-0x0000000140000000-0x0000000140376000-memory.dmp	family_expiro1
behavioral2/memory/2556-199-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral2/memory/4168-200-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1

Executes dropped EXE 64 IoCs

pid	Process
5044	9F9B.tmp
2392	9FCA.tmp
1612	9FF9.tmp
212	9FE9.tmp
4960	A028.tmp
1528	A037.tmp
4212	A095.tmp
1056	A1CE.tmp
1504	A2E7.tmp
3476	A5E5.tmp
3852	AAD6.tmp
3416	AE9F.tmp
4560	B99B.tmp
3944	BD83.tmp
3020	BFD5.tmp
5016	C94B.tmp
1432	CAB2.tmp
536	CC29.tmp
4512	CE5C.tmp
756	elevation_service.exe
3372	D011.tmp
1028	D1C7.tmp
1508	D3CB.tmp
1716	D6C8.tmp
2296	D88D.tmp
3516	DC95.tmp
704	DED7.tmp
1632	E119.tmp
3668	E501.tmp
1676	EA02.tmp
1932	ECE0.tmp
3588	F28E.tmp
4444	elevation_service.exe
4168	FA9C.tmp
660	FD7A.tmp
220	FF40.tmp
4492	B7.tmp
5068	4BE.tmp
2092	848.tmp
4436	9FE.tmp
5084	B26.tmp
2324	DC6.tmp
2128	FE9.tmp
2556	11DD.tmp
4916	maintenanceservice.exe
2028	16BF.tmp
4260	198E.tmp
872	1E8F.tmp
4412	215E.tmp
1396	243C.tmp
4296	265F.tmp
3040	2DF1.tmp
1796	3294.tmp
3668	364D.tmp
4836	OSE.EXE
2448	3AE1.tmp
3472	3E7B.tmp
532	4011.tmp
3824	40FC.tmp
3124	45DE.tmp
444	4CB4.tmp
3536	500F.tmp
3544	5213.tmp
2812	57A1.tmp

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	9FF9.tmp
File created	\??\c:\windows\system32\msiexec.vir	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\vssvc.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\msdtc.exe	9FF9.tmp
File created	\??\c:\windows\SysWOW64\msiexec.vir	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\Agentservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\wbengine.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\lsass.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\snmptrap.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\spectrum.exe	9FF9.tmp
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	9FF9.tmp
File opened for modification	\??\c:\windows\system32\vds.exe	9FF9.tmp
File created	\??\c:\windows\system32\wbengine.vir	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\dllhost.exe	9FF9.tmp
File created	\??\c:\windows\system32\fxssvc.vir	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\locator.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	9FF9.tmp
File created	\??\c:\windows\system32\snmptrap.vir	9FF9.tmp
File opened for modification	\??\c:\windows\system32\svchost.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\Appvclient.exe	9FF9.tmp
File created	\??\c:\windows\system32\Appvclient.vir	9FF9.tmp
File created	\??\c:\windows\system32\msdtc.vir	9FF9.tmp
File opened for modification	\??\c:\windows\system32\msiexec.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\fxssvc.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	9FF9.tmp
File created	\??\c:\windows\system32\Agentservice.vir	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	9FF9.tmp
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	9FF9.tmp
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	9FF9.tmp

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.vir	9FF9.tmp
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	9FF9.tmp
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.vir	9FF9.tmp
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	9FF9.tmp
File created	\??\c:\program files\common files\microsoft shared\source engine\ose.vir	9FF9.tmp
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	9FF9.tmp
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	9FF9.tmp
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	9FF9.tmp
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	9FF9.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	9FF9.tmp
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	9FF9.tmp

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1020	3944	WerFault.exe	111
4392	3516	WerFault.exe	139
4372	1676	WerFault.exe	149
548	3668	WerFault.exe	145
4000	2028	WerFault.exe	185
1320	2412	WerFault.exe	296

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	243C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5D6D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	198E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8681.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2E7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57A1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A1CE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16BF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3294.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	364D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E119.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5213.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	991E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFD5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A718.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6F4F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A095.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAB2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DED7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1E8F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	500F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9C89.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B6D8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	215E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3AE1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9E5E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9F9B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45DE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C94B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1612	9FF9.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1396	2220	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	83
PID 2220 wrote to memory of 1396	2220	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	83
PID 2220 wrote to memory of 1396	2220	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	83
PID 1396 wrote to memory of 3004	1396	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	84
PID 1396 wrote to memory of 3004	1396	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	84
PID 1396 wrote to memory of 3004	1396	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	84
PID 3004 wrote to memory of 3884	3004	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	85
PID 3004 wrote to memory of 3884	3004	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	85
PID 3004 wrote to memory of 3884	3004	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	85
PID 3884 wrote to memory of 3672	3884	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	86
PID 3884 wrote to memory of 3672	3884	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	86
PID 3884 wrote to memory of 3672	3884	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	86
PID 3672 wrote to memory of 3980	3672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	87
PID 3672 wrote to memory of 3980	3672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	87
PID 3672 wrote to memory of 3980	3672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	87
PID 3980 wrote to memory of 1224	3980	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	88
PID 3980 wrote to memory of 1224	3980	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	88
PID 2220 wrote to memory of 5044	2220	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	89
PID 3980 wrote to memory of 1224	3980	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	88
PID 2220 wrote to memory of 5044	2220	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	89
PID 2220 wrote to memory of 5044	2220	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	89
PID 1224 wrote to memory of 3932	1224	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	90
PID 1224 wrote to memory of 3932	1224	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	90
PID 1224 wrote to memory of 3932	1224	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	90
PID 1396 wrote to memory of 2392	1396	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	91
PID 1396 wrote to memory of 2392	1396	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	91
PID 1396 wrote to memory of 2392	1396	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	91
PID 3004 wrote to memory of 212	3004	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	92
PID 3004 wrote to memory of 212	3004	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	92
PID 3004 wrote to memory of 212	3004	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	92
PID 3884 wrote to memory of 1612	3884	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	93
PID 3884 wrote to memory of 1612	3884	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	93
PID 3884 wrote to memory of 1612	3884	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	93
PID 3932 wrote to memory of 4372	3932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	94
PID 3932 wrote to memory of 4372	3932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	94
PID 3932 wrote to memory of 4372	3932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	94
PID 3672 wrote to memory of 4960	3672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	95
PID 3672 wrote to memory of 4960	3672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	95
PID 3672 wrote to memory of 4960	3672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	95
PID 3980 wrote to memory of 1528	3980	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	96
PID 3980 wrote to memory of 1528	3980	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	96
PID 3980 wrote to memory of 1528	3980	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	96
PID 1224 wrote to memory of 4212	1224	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	97
PID 1224 wrote to memory of 4212	1224	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	97
PID 1224 wrote to memory of 4212	1224	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	97
PID 4372 wrote to memory of 860	4372	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	98
PID 4372 wrote to memory of 860	4372	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	98
PID 4372 wrote to memory of 860	4372	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	98
PID 3932 wrote to memory of 1056	3932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	99
PID 3932 wrote to memory of 1056	3932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	99
PID 3932 wrote to memory of 1056	3932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	99
PID 4372 wrote to memory of 1504	4372	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	100
PID 4372 wrote to memory of 1504	4372	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	100
PID 4372 wrote to memory of 1504	4372	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	100
PID 860 wrote to memory of 4608	860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	101
PID 860 wrote to memory of 4608	860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	101
PID 860 wrote to memory of 4608	860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	101
PID 860 wrote to memory of 3476	860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	102
PID 860 wrote to memory of 3476	860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	102
PID 860 wrote to memory of 3476	860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	102
PID 4608 wrote to memory of 1756	4608	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	103
PID 4608 wrote to memory of 1756	4608	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	103
PID 4608 wrote to memory of 1756	4608	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	103
PID 4608 wrote to memory of 3852	4608	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	104

C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
"C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
  "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
    "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
      "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        12⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        13⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        14⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        15⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        16⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        17⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        19⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        20⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        21⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        23⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        26⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        27⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        28⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        29⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        30⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        32⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        33⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        35⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        36⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        37⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        43⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        44⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        45⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        46⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        47⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        49⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        53⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        56⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        58⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        59⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        60⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        62⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        63⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        64⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        65⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        66⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        68⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        69⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        70⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        71⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        72⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        76⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        79⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        80⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        82⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        83⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        85⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        88⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        91⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        92⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        93⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        94⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        95⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        96⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        97⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        98⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        99⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        100⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        101⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        102⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        103⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        104⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        105⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        106⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        107⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        108⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        109⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        110⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        111⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        112⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        113⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        114⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        115⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        116⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        117⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        118⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        119⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        120⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        121⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        122⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        123⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        124⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        125⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        126⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        127⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        128⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        129⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        130⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        131⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        132⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        133⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        134⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        135⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        136⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        137⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        138⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        139⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        140⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        141⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        142⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        143⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        144⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        145⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        146⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        147⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        148⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        149⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        150⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        151⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        152⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        153⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        154⤵
        
        PID:6616
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        155⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        156⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        157⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        158⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        159⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        160⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        161⤵
        
        PID:6940
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        162⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        163⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        164⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        165⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        166⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        167⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        168⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        169⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        170⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\E6EB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E6EB.tmp"
        170⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\E332.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E332.tmp"
        169⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\E277.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E277.tmp"
        168⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\DEFC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DEFC.tmp"
        167⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\DA97.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DA97.tmp"
        166⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\D8C2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D8C2.tmp"
        165⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\D613.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D613.tmp"
        164⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\D131.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D131.tmp"
        163⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\CA4B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CA4B.tmp"
        162⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\C6B1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C6B1.tmp"
        161⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\C308.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C308.tmp"
        160⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\BF2F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BF2F.tmp"
        159⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\BC51.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BC51.tmp"
        158⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\B9F0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B9F0.tmp"
        157⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\B685.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B685.tmp"
        156⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\B1D2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B1D2.tmp"
        155⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\ADCA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ADCA.tmp"
        154⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\AA9E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AA9E.tmp"
        153⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\A399.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A399.tmp"
        152⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\A118.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A118.tmp"
        151⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\9D40.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9D40.tmp"
        150⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\9C17.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9C17.tmp"
        149⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\9929.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9929.tmp"
        148⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\9234.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9234.tmp"
        147⤵
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\8D52.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8D52.tmp"
        146⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\8841.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8841.tmp"
        145⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\85D0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\85D0.tmp"
        144⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\80EE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\80EE.tmp"
        143⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\7B7F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7B7F.tmp"
        142⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\7834.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7834.tmp"
        141⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\716D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\716D.tmp"
        140⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\6C5C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6C5C.tmp"
        139⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\696E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\696E.tmp"
        138⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\6529.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6529.tmp"
        137⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\6269.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6269.tmp"
        136⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\5CEB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5CEB.tmp"
        135⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\59FD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\59FD.tmp"
        134⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\5644.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5644.tmp"
        133⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\528B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\528B.tmp"
        132⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\4CAF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4CAF.tmp"
        131⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\4A8C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4A8C.tmp"
        130⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\4694.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4694.tmp"
        129⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\45BA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\45BA.tmp"
        128⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\43F5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\43F5.tmp"
        127⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\3CD0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3CD0.tmp"
        126⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\39C3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\39C3.tmp"
        125⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\3704.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3704.tmp"
        124⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\357D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\357D.tmp"
        123⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\303E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\303E.tmp"
        122⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\2ACF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2ACF.tmp"
        121⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\28CB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\28CB.tmp"
        120⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\260C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\260C.tmp"
        119⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\2253.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2253.tmp"
        118⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\1CB6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1CB6.tmp"
        117⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\192B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\192B.tmp"
        116⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\1478.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1478.tmp"
        115⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\10BF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\10BF.tmp"
        114⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\D25.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D25.tmp"
        113⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\97C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\97C.tmp"
        112⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\70B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\70B.tmp"
        111⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\4A9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4A9.tmp"
        110⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\2B5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2B5.tmp"
        109⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\FECD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FECD.tmp"
        108⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\FB43.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FB43.tmp"
        107⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\F632.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F632.tmp"
        106⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\EF8B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EF8B.tmp"
        105⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\EC7E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EC7E.tmp"
        104⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\E829.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E829.tmp"
        103⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\E663.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E663.tmp"
        102⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\E039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E039.tmp"
        101⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\DD3C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DD3C.tmp"
        100⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\D934.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D934.tmp"
        99⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\D731.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D731.tmp"
        98⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\D3A7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D3A7.tmp"
        97⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\D126.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D126.tmp"
        96⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\D06A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D06A.tmp"
        95⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\CD8C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CD8C.tmp"
        94⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\C7CF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C7CF.tmp"
        93⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\C5AC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C5AC.tmp"
        92⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\C02E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C02E.tmp"
        91⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 256
        92⤵
        Program crash
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\BE4A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BE4A.tmp"
        90⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\B977.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B977.tmp"
        89⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\B6D8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B6D8.tmp"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\B438.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B438.tmp"
        87⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\AF56.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AF56.tmp"
        86⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\AAB2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AAB2.tmp"
        85⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\A718.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A718.tmp"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\A350.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A350.tmp"
        83⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\A0BF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A0BF.tmp"
        82⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\9E5E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9E5E.tmp"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\9C89.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9C89.tmp"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\991E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\991E.tmp"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\9277.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9277.tmp"
        78⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\8D37.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8D37.tmp"
        77⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\89CC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\89CC.tmp"
        76⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\8681.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8681.tmp"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\80A5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\80A5.tmp"
        74⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\7EC0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7EC0.tmp"
        73⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\7AE8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7AE8.tmp"
        72⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\76C1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\76C1.tmp"
        71⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\725C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\725C.tmp"
        70⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\6F4F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6F4F.tmp"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\6D5B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6D5B.tmp"
        68⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\6BB5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6BB5.tmp"
        67⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\6954.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6954.tmp"
        66⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\656C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\656C.tmp"
        65⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\606B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\606B.tmp"
        64⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\5D6D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5D6D.tmp"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\59A4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\59A4.tmp"
        62⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\57A1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\57A1.tmp"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\5213.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5213.tmp"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\500F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\500F.tmp"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\4CB4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4CB4.tmp"
        58⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\45DE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\45DE.tmp"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\40FC.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\40FC.tmp"
        56⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\4011.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4011.tmp"
        55⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3E7B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3E7B.tmp"
        54⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3AE1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3AE1.tmp"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\364D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\364D.tmp"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3294.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3294.tmp"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\2DF1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2DF1.tmp"
        50⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\265F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\265F.tmp"
        49⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\243C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\243C.tmp"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\215E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\215E.tmp"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\1E8F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1E8F.tmp"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\198E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\198E.tmp"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\16BF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\16BF.tmp"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 256
        45⤵
        Program crash
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\11DD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\11DD.tmp"
        43⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\FE9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FE9.tmp"
        42⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\DC6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DC6.tmp"
        41⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\B26.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B26.tmp"
        40⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\9FE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9FE.tmp"
        39⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\848.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\848.tmp"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\4BE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4BE.tmp"
        37⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\B7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B7.tmp"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\FF40.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FF40.tmp"
        35⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\FD7A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FD7A.tmp"
        34⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\FA9C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FA9C.tmp"
        33⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\F28E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F28E.tmp"
        32⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\ECE0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\ECE0.tmp"
        31⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\EA02.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\EA02.tmp"
        30⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 256
        31⤵
        Program crash
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\E501.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E501.tmp"
        29⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 256
        30⤵
        Program crash
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\E119.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E119.tmp"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\DED7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DED7.tmp"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\DC95.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DC95.tmp"
        26⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 256
        27⤵
        Program crash
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\D88D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D88D.tmp"
        25⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\D6C8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D6C8.tmp"
        24⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\D3CB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D3CB.tmp"
        23⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\D1C7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D1C7.tmp"
        22⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\D011.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D011.tmp"
        21⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\CE5C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CE5C.tmp"
        20⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\CC29.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CC29.tmp"
        19⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\CAB2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CAB2.tmp"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\C94B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C94B.tmp"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\BFD5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BFD5.tmp"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\BD83.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BD83.tmp"
        15⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 256
        16⤵
        Program crash
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\B99B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B99B.tmp"
        14⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\AE9F.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AE9F.tmp"
        13⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\AAD6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AAD6.tmp"
        12⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\A5E5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A5E5.tmp"
        11⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\A2E7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A2E7.tmp"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\A1CE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A1CE.tmp"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\A095.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A095.tmp"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\A037.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A037.tmp"
        7⤵
        Executes dropped EXE
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\A028.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A028.tmp"
        6⤵
        Executes dropped EXE
        
        PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\9FF9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9FF9.tmp"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\9FE9.tmp
      "C:\Users\Admin\AppData\Local\Temp\9FE9.tmp"
      4⤵
      Executes dropped EXE
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\9FCA.tmp
    "C:\Users\Admin\AppData\Local\Temp\9FCA.tmp"
    3⤵
    - Executes dropped EXE
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\9F9B.tmp
  "C:\Users\Admin\AppData\Local\Temp\9F9B.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3944 -ip 3944
1⤵
PID:4652

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3516 -ip 3516
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3668 -ip 3668
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1676 -ip 1676
1⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4444

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2028 -ip 2028
1⤵
PID:4400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:1100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:3408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2412 -ip 2412
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c6481d76beba97c26584c8063a555883

SHA1
566dcb3453a22827aeced40a6fcabfab5adc4048

SHA256
f81c84f3be223933bdf620f6f0e1bd1403821a02bd145767baf9e95768afe2d0

SHA512
040fce6e1d1098b26a311ed34a4fab9a03406189875b9ebc1b2dc124a4e5d1a51c7d69b1c037db0e587cf6153a2e5ca5ad93416f768dd76c2d9d5ce701c6326c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
800KB

MD5
2398c8311817324f8842f365f23d0d47

SHA1
6b4ffe75c28d57f1a0f9fff9a0d90101dab17f47

SHA256
02ed4cec7adcec2d3c98737af55275738571df0710b4b39dad8916166a9b30e9

SHA512
38928a0be352be817b9f8d11d8e7873b4cead73e372f76f8a63c1a068f2645c4602c6b24033851f0219b5f7ce4d45cda205ba29a885ebbd5952d896eed6ad859

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
73fddb97275705efc2d1d80a6f930a0b

SHA1
d0abe3a7717f49b932452acb09f13340ae01417b

SHA256
d7b657539824bb325588a09dffa6a29ad0825df45adf7fa8ce8b213511750c49

SHA512
1d8cf7cfed3cb14e89b3dfa4e5d5fafeb79bd2f59734d48a8616a8c599f7c4329cccfc760e8fb1088cca27613b20fa2b0dccf76d74479ab130b021b6fc5ce494

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F9B.tmp

Filesize
630KB

MD5
98a7bc652b56b926e5f7b10fd162159c

SHA1
e1185982d99bef65682abd517e69677f045ea90d

SHA256
b9947dbf4355ac95dc831cb7189b2020fa372febe68e9180b733f80a5b74ad8c

SHA512
76f46a17a602dfb3f8b54e8e633ade02c88b0f279dcbaa043b08b81f4f81f057cedcaf1a6b5eaf4dd423da5185da621507f5cc6a0ffdf13e9a95760f3270bce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
292B

MD5
5355b8dd454c0e87b8f8fa5064e00063

SHA1
6bd0a181744f230616ad4f38f2bf87e20889ae09

SHA256
ade807c3a2357be7b98bbb047f7c9cbbb6ccc43e6bcad336746beffdb9527b88

SHA512
bd3f1571690cf05bd835495151a906cd7ea21ecdc7093366d51fcb4e4b8887f250faec995e46ebea6ae55aa447842f5f3a0f9e5577f51737e54d30fdf4805550

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
983KB

MD5
4786f8a64ee0cba2f8088dc83db8a691

SHA1
1b7335d66018720c2de2c2e1b84cba28f12d9a65

SHA256
a562e9c80f7354669cd23b5debc2f810d3204b22a658f1db204058f261926302

SHA512
637e6925da40f022a053bea74a52f5909a511277622f9ec3a3cf2724c5ee75c9457037b039b4b8c46b5300a3d6cd430dbce47e92257ec60d95b2475f33ce2de8

Download Submit
C:\Windows\System32\Appvclient.vir

Filesize
1.3MB

MD5
0190cd1487785f5480934b19560091c2

SHA1
2743d1160de98b42f86026099b38d023a496d0c9

SHA256
e71c29dc72668d581fe67100c76102c02f621e32b0512b3ee4c3cf95bdf7fb14

SHA512
b6e9b3beb39b87704765e080ab73c8d2c90a9a774ae624584fd291dc3484600db80066070ced3f2d6bdfcb226ea71af1075195527b8e0d0fa77ab5c128a11127

Download Submit
memory/212-24-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/220-171-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/220-205-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/536-133-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/536-87-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/660-202-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/704-129-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/704-168-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/756-139-0x0000000140000000-0x000000014037F000-memory.dmp

Filesize
3.5MB

Download
memory/756-142-0x0000000140000000-0x000000014037F000-memory.dmp

Filesize
3.5MB

Download
memory/756-99-0x0000000140000000-0x000000014037F000-memory.dmp

Filesize
3.5MB

Download
memory/872-255-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/872-212-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1028-154-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1056-59-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1056-31-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1396-217-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1396-260-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1432-128-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1504-64-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1504-33-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-111-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-156-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1528-49-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1528-25-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1612-44-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1632-170-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1632-134-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1676-180-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1676-178-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1676-145-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1716-158-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1796-224-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1796-279-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1932-184-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2028-206-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2028-251-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2028-249-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2092-214-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2092-183-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2128-221-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2128-192-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2296-159-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2296-117-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2324-220-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2392-46-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2556-199-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2556-223-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3020-116-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3040-276-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3372-152-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3416-45-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3416-97-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3476-73-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3516-124-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3516-172-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3516-165-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3588-185-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3588-155-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3668-176-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3668-247-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3668-173-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3668-281-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3852-78-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3944-110-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3944-57-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3944-143-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4168-166-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4168-200-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4212-56-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4260-209-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4260-253-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4296-267-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4412-257-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4412-215-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4436-186-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4436-216-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4444-160-0x0000000140000000-0x0000000140376000-memory.dmp

Filesize
3.5MB

Download
memory/4444-193-0x0000000140000000-0x0000000140376000-memory.dmp

Filesize
3.5MB

Download
memory/4444-190-0x0000000140000000-0x0000000140376000-memory.dmp

Filesize
3.5MB

Download
memory/4492-174-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4492-208-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4512-138-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4512-98-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4560-54-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4560-106-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4916-203-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/4916-225-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/4960-53-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/4960-26-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/5016-123-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/5044-43-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/5044-14-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/5068-211-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/5068-179-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/5084-187-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download