4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb

Analysis

max time kernel
29s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
Size

115KB
MD5

b6d325ff2b6e908e0c52e773fdae61f1
SHA1

8584f372d04b748342dd0df4332eaf8a99503b6a
SHA256

4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
SHA512

d3be029bf1082b939e8d411841e6fd127b2685d3c327949765ac95dd701974de2a72955cd768264b117732e7df28989b8a9c6ba6220f722a2eefd0886e988692
SSDEEP

3072:6tEDHJUqYUOhaDTZSm6H6MKoWOwdFnzyfaD:OUH2qvgiWYdFnzyfaD

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 55 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 55 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	oEUEYQoQ.exe
1596	CEEQEcEY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oEUEYQoQ.exe = "C:\\Users\\Admin\\BcAIcYwc\\oEUEYQoQ.exe"	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CEEQEcEY.exe = "C:\\ProgramData\\xawMYQcU\\CEEQEcEY.exe"	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oEUEYQoQ.exe = "C:\\Users\\Admin\\BcAIcYwc\\oEUEYQoQ.exe"	oEUEYQoQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CEEQEcEY.exe = "C:\\ProgramData\\xawMYQcU\\CEEQEcEY.exe"	CEEQEcEY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4796	reg.exe
3880	reg.exe
464	reg.exe
1284	reg.exe
4304	reg.exe
1136	reg.exe
1216	reg.exe
3796	reg.exe
2540	reg.exe
4964	reg.exe
3776	reg.exe
2644	reg.exe
3896	reg.exe
4596	reg.exe
4620	reg.exe
5016	reg.exe
4512	reg.exe
1372	reg.exe
3832	reg.exe
2088	reg.exe
5064	reg.exe
1628	reg.exe
2548	reg.exe
4324	reg.exe
1712	reg.exe
1828	reg.exe
2440	reg.exe
2732	reg.exe
4192	reg.exe
4256	reg.exe
3156	reg.exe
3092	reg.exe
2328	reg.exe
2632	reg.exe
4740	reg.exe
3672	reg.exe
636	reg.exe
2828	reg.exe
4016	reg.exe
2224	reg.exe
1280	reg.exe
2836	reg.exe
3140	reg.exe
4852	reg.exe
2328	reg.exe
1512	reg.exe
116	reg.exe
4380	reg.exe
3528	reg.exe
3848	reg.exe
692	reg.exe
5064	reg.exe
1136	reg.exe
4928	reg.exe
3336	reg.exe
4600	reg.exe
4440	reg.exe
3640	reg.exe
3564	reg.exe
3132	reg.exe
4848	reg.exe
5004	reg.exe
2168	reg.exe
2828	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1516	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1516	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1516	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1516	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4836	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4836	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4836	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4836	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2440	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2440	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2440	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2440	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1180	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1180	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1180	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1180	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1960	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1960	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1960	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1960	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4848	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4848	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4848	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4848	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2092	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2092	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2092	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
2092	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1640	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1640	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1640	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
1640	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
5068	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
5068	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
5068	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
5068	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
564	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
564	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
564	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
564	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3628	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3628	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3628	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
3628	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
4948	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 2256	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	90
PID 3380 wrote to memory of 2256	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	90
PID 3380 wrote to memory of 2256	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	90
PID 3380 wrote to memory of 1596	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	91
PID 3380 wrote to memory of 1596	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	91
PID 3380 wrote to memory of 1596	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	91
PID 3380 wrote to memory of 692	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	92
PID 3380 wrote to memory of 692	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	92
PID 3380 wrote to memory of 692	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	92
PID 3380 wrote to memory of 4776	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	94
PID 3380 wrote to memory of 4776	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	94
PID 3380 wrote to memory of 4776	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	94
PID 3380 wrote to memory of 2304	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	95
PID 3380 wrote to memory of 2304	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	95
PID 3380 wrote to memory of 2304	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	95
PID 3380 wrote to memory of 3176	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	96
PID 3380 wrote to memory of 3176	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	96
PID 3380 wrote to memory of 3176	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	96
PID 3380 wrote to memory of 1544	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	98
PID 3380 wrote to memory of 1544	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	98
PID 3380 wrote to memory of 1544	3380	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	98
PID 1544 wrote to memory of 744	1544	cmd.exe	103
PID 1544 wrote to memory of 744	1544	cmd.exe	103
PID 1544 wrote to memory of 744	1544	cmd.exe	103
PID 692 wrote to memory of 3852	692	cmd.exe	102
PID 692 wrote to memory of 3852	692	cmd.exe	102
PID 692 wrote to memory of 3852	692	cmd.exe	102
PID 3852 wrote to memory of 1612	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	104
PID 3852 wrote to memory of 1612	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	104
PID 3852 wrote to memory of 1612	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	104
PID 1612 wrote to memory of 4696	1612	cmd.exe	106
PID 1612 wrote to memory of 4696	1612	cmd.exe	106
PID 1612 wrote to memory of 4696	1612	cmd.exe	106
PID 3852 wrote to memory of 3476	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	107
PID 3852 wrote to memory of 3476	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	107
PID 3852 wrote to memory of 3476	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	107
PID 3852 wrote to memory of 3528	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	108
PID 3852 wrote to memory of 3528	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	108
PID 3852 wrote to memory of 3528	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	108
PID 3852 wrote to memory of 2828	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	109
PID 3852 wrote to memory of 2828	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	109
PID 3852 wrote to memory of 2828	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	109
PID 3852 wrote to memory of 3480	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	110
PID 3852 wrote to memory of 3480	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	110
PID 3852 wrote to memory of 3480	3852	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	110
PID 3480 wrote to memory of 3556	3480	cmd.exe	115
PID 3480 wrote to memory of 3556	3480	cmd.exe	115
PID 3480 wrote to memory of 3556	3480	cmd.exe	115
PID 4696 wrote to memory of 2152	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	116
PID 4696 wrote to memory of 2152	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	116
PID 4696 wrote to memory of 2152	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	116
PID 2152 wrote to memory of 1516	2152	cmd.exe	118
PID 2152 wrote to memory of 1516	2152	cmd.exe	118
PID 2152 wrote to memory of 1516	2152	cmd.exe	118
PID 4696 wrote to memory of 4748	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	119
PID 4696 wrote to memory of 4748	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	119
PID 4696 wrote to memory of 4748	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	119
PID 4696 wrote to memory of 4652	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	120
PID 4696 wrote to memory of 4652	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	120
PID 4696 wrote to memory of 4652	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	120
PID 4696 wrote to memory of 2812	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	121
PID 4696 wrote to memory of 2812	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	121
PID 4696 wrote to memory of 2812	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	121
PID 4696 wrote to memory of 716	4696	4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe	123

C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
"C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\BcAIcYwc\oEUEYQoQ.exe
  "C:\Users\Admin\BcAIcYwc\oEUEYQoQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2256
- C:\ProgramData\xawMYQcU\CEEQEcEY.exe
  "C:\ProgramData\xawMYQcU\CEEQEcEY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
    C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        8⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        10⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        12⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        14⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        16⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        18⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        20⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        22⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        24⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        26⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        28⤵
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        30⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        32⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        33⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        34⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        35⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        36⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        37⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        38⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        39⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        40⤵
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        41⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        42⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        43⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        44⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        45⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        46⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        47⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        48⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        49⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        50⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        51⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        52⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        53⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        54⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        55⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        56⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        57⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        58⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        59⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        60⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        61⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        62⤵
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        63⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        64⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        65⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        66⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        67⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        68⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        69⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        70⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        71⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        72⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        73⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        74⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        75⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        76⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        77⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        78⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        79⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        80⤵
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        81⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        82⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        83⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        84⤵
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        85⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        86⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        87⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        88⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        89⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        90⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        91⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        92⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        93⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        94⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        95⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        96⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        97⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        98⤵
        
        PID:3036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        99⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        100⤵
        
        PID:2812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        101⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        102⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        103⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        104⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        105⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        106⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        107⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        108⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        109⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        110⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        111⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        112⤵
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        113⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        114⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        115⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        116⤵
        
        PID:1004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        117⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        118⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        119⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        120⤵
        
        PID:808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        121⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        122⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        123⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        124⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        125⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        126⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        127⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        128⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        129⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        130⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        131⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        132⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        133⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        134⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        135⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        136⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        137⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        138⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        139⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        140⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        141⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        142⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        143⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        144⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        145⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        146⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        147⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        148⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        149⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        150⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        151⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        152⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        153⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        154⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        155⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        156⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        157⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        158⤵
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        159⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        160⤵
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        161⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        162⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        163⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        164⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        165⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        166⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        167⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        168⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        169⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        170⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        171⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        172⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        173⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        174⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        175⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        176⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        177⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        178⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        179⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        180⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        181⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        182⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        183⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        184⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        185⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        186⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        187⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        188⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        189⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        190⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        191⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        192⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        193⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        194⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        195⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        196⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        197⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        198⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        199⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        200⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        201⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        202⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        203⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        204⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        205⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        206⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        207⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        208⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        209⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        210⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        211⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        212⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        213⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        214⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        215⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        216⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        217⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        218⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        219⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        220⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        221⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        222⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        223⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        224⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        225⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        226⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        227⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        228⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        229⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        230⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        231⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        232⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        233⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        234⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        235⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        236⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        237⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        238⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        239⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        240⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        241⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        242⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        243⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        244⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        245⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        246⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        247⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        248⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        249⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        250⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        251⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        252⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        253⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb"
        254⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb
        255⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgIYYwww.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        254⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xScAUMEo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        252⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yggYMAoc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        250⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuwYoUAs.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        248⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skAEosoY.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        246⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igEEIQQI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        244⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEEkAsMM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        242⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOMUgkws.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        240⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies registry key
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCEgUoQU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        238⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkMEgIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        236⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyoAAYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        234⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeAAgIEM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        232⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQcEQcgg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        230⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncUgAUgA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        228⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywQwosMA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        226⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqUQEswI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        224⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqEYkQQc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        222⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUYcgoQc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        220⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teMIMUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        218⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogkcYsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        216⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKUoYUgo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        214⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKEMQMEY.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        212⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAQAgAAY.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        210⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQUAoUoM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        208⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIwggwk.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        206⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYcwsksE.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        204⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEwsgAAo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        202⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMIgkcoA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        200⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RawEMIoo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        198⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSwAcIIM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        196⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWwUoIgs.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        194⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiIgQoIA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        192⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIMkMksA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        190⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEEMkUUE.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        188⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCMcEgkc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        186⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOoQQgEM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        184⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMwokoUI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        182⤵
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akgIkocs.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        180⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQMAEMMI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        178⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwUUoAwg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        176⤵
        
        PID:3564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAUQocss.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        174⤵
        
        PID:3568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuIsAIkI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        172⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoEgsIcc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        170⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYoAYAoE.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        168⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKAYsQUs.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        166⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQoAEowQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        164⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omQAEsIU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        162⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fogcgEQE.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        160⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAEYAoME.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        158⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOIcEswU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        156⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NacQQYcg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        154⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIEYUwAk.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        152⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKYIUYMs.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        150⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOkgAoMo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        148⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwQcgoYU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        146⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCIEAMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        144⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGQckwsg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        142⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEIQUosc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        140⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgsgYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        138⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCcQkYwA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        136⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcUMIMEc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        134⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcEsAEQg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        132⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOQkwEQg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        130⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewgEgYUg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        128⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUYAEggM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        126⤵
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwcEMMko.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        124⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuMUEUEo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        122⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eggQEQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        120⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcwQEYwI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        118⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUIgYwgA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        116⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcIccYkc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        114⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUgsIEAA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        112⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWQQEggg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        110⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUIQcEYo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        108⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkwUkUgA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        106⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIcwIsMc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        104⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgcUQgko.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        102⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQIIYQkY.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        100⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWEgMwEs.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        98⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiwoooMI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        96⤵
        
        PID:2432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCQgMsAU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        94⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGkQIoMg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        92⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAoQUUsc.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        90⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcAQkEkI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        88⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCYsMwoI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        86⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmQMYEYU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        84⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEYAEsU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        82⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWsYooIg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        80⤵
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgokIIM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        78⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCQIQAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        76⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiAQYscQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        74⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgYoQcgo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        72⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMwccgoY.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        70⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUMIEEEg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        68⤵
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIwAkcQA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        66⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QygkUAAw.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        64⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAoIcwAw.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        62⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyIwEgMw.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        60⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOYQMMos.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        58⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NysIIUYU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        56⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIwkcIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        54⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piMwkQoM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        52⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQAkwQAU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        50⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCIMAUww.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        48⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsIsMwwk.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        46⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUQYEIUI.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        44⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGMUEAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        42⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEYcMwUE.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        40⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIoYAAMg.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        38⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaUUEUow.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        36⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGkwwYoY.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        34⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWQEokUo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        32⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NokUgMQk.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        30⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOEgIgMU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        28⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqscowUU.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        26⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkMMgsUw.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        24⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYYgsgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        22⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMIYMIQE.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        20⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQQooEAw.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        18⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWkcMMoA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        16⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGoYoQIA.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        14⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcgowcUY.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        12⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMEwUAoM.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        10⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RicgccII.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        8⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2452
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4748
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4652
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSccssQs.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
        6⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3476
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcMQUUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3556
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2304
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQkoQUgo.bat" "C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2168

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3228

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1600

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv bXyb+nw2LEKwzWbLnqTN6g.0.2
1⤵
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
557KB

MD5
f53a4f8b65f089d698ea6fb4cb5b7957

SHA1
5e87942dfed3a989acd220c00cd7427f9419a2e9

SHA256
021673826217d79269990ed25b6e1748112ce029fee7c47dbf34283e2be6826c

SHA512
fda79082740aa92c132754da409df104338014f6da826009cebaa246662768554a29cf9790567a8263c7e185504467d1fd62853ff9e6d39f2e2359ce96727e26

Download Submit
C:\ProgramData\xawMYQcU\CEEQEcEY.exe

Filesize
110KB

MD5
13848707379400c02fbfc1eb4437d516

SHA1
4b9593d4a84d59d3cfa43672e1d6f58cab52f7fe

SHA256
0773f0b1c31f9fd69ba177f12fe826350d2ad569e8ffc6ca72fe1188afa5e47f

SHA512
b7231fd2fa91bc708a13e1bff3599ccfa43227008274a031df99a1929b546727c08fb87fb74e33f1608846c071560b707a1af854a0f42fcb50a60e90a47909a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
117KB

MD5
a601bdcf0c281a9ab4adf005318dd550

SHA1
c9946e59a2b11fa0a09b401e707343e39e102b85

SHA256
f0a25c86e0602bb0f60230d2f5f3f02446c65046530d428f00b6fe0b369085cc

SHA512
f73081b837c7ed5d3649d3d5e20aa5d3de6eee6e550cbaec7f15ccb7aefe41a4fb3b41735bca712d5cddb0716cd0ebd2720941ecded6e5f2c2dcbc8111e7b7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

Filesize
111KB

MD5
fef070990b28ebb209dce01db2af7c86

SHA1
b08eb10d7cd2bbb1fdb2889f134e382fd3f41d94

SHA256
3c1f5e0a6e2c8a5f1ce327698238481f42b71e9b5cf82e9f94f9ed147a63ce35

SHA512
93aab5843ec1868a0053a7ae8940e0b98cfdcb2d454d82b81bc9ec9e366857183c8eae49e0b948242d5dbd57dfcbdd4ab70efd9664b62221d55e7f61fde81b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
112KB

MD5
94c03a9cdd2ca73bbfe6eb1a280adb69

SHA1
24e6c2b22171593f8883a37002325107bfff61d5

SHA256
d03bf51e78c53f8275869b6ca37e236c43aca8eae559020f6a12dafc591a472b

SHA512
7ba26c5ccd7c871d7414b4893abca95733b092b871699da3b0fb274edd90a75bfc9844fdf5923a89b7fdd955c38c25c199ae014f6baef71c03f60ce8009097bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
111KB

MD5
0d7901540a9f4e74e77273e416bd3510

SHA1
246c900fe02c9f8e10b0d0bf5a9c07302a472a24

SHA256
fa8eb717c1e1b619913a773f67954347ae713f204e809ab2cd9a4dcc95e897e3

SHA512
b5453d02732688a7d943a8e7ba842d82444fecf1b8684d825dd1969ce9cf7cf9fe124fd14b73fe20052581fbc5e81eb1a1c720fd23b2e5ffdd0b0c42685980f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fffe8896ff980ce7ebb8836933b14d0ed8f735faeba3bcfe8ad861538b9f4fb

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAUA.exe

Filesize
148KB

MD5
809631037769e37a713bcea8b7c98666

SHA1
36474064c8522909df3003ecfc2d68bb1ea4acf4

SHA256
550b8abd4317e5a44da0d8022663bc8dba803ebd188219fbea922d78e5cac9d6

SHA512
b02a698d9b7f1e7721c4009f2c8d0c1ca448c74cfe27b3f5d13e97f5df9b05eee61eb1c3f49d2c9229f79de1ebb00d9a8809c5ef36a95ecc0b58853c77881e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQUi.exe

Filesize
120KB

MD5
b08dc86523f3c3b4bd711ab3ca038e0f

SHA1
0e897c69449f822f880851d83afa09755da0f26f

SHA256
89c7743e099230fc6409f193dced991811f46b54cae86ba0a1005c8e64f3028d

SHA512
16eb467b3325034adaf709a6eb98a4a6695a6acbcc74fb49e5de28321daf74636fcd05b013f8ad0331a59c495fd8abefb5fb72585566106c19cfc14bca8b6789

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUMo.exe

Filesize
118KB

MD5
82a89863a2b889853da81792d89a6fa0

SHA1
3fd1162c9ab89c9f064058d344c5522b9b39c5b5

SHA256
c6f2da28bb45067fbd0c18b8c11453be649580126771022cbc1679cfc1a95a9f

SHA512
d7402b6e6bfe09572405ac07fe9488c7aae579bbb434a37438c29dd6da177d9c5fdd67b4926ab310eb25f150c84bfd8f97e1610bbf924c6e525248c6233d301c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AksU.exe

Filesize
138KB

MD5
a08541eb5eafe58d2a00448aa1504f93

SHA1
847a3ee664fad48b716270f6b88e0bcf97ef8b26

SHA256
e6fa2d708f662798284c6c765b3b59cefcd743ffecc58564de68424b884ab01f

SHA512
f1e762d4cf5f5eae5922d919e1e954cc06c57e2e977df2ff040cf170eaecfa1d25d1fc7f20dde97bf459ac5d990fbe200727d2ca07d9201cfc06908ef5f72695

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQMk.exe

Filesize
530KB

MD5
03c5b0c0694f5eb7df450725c0f603cf

SHA1
6ad952cfcc2a89c6e23505dd4a41328a9d697abe

SHA256
6b2fba3dd8d4c8520b1113646aaca0d8f24fad1df947f0587eb6a9063685d410

SHA512
e48900e66baa6a8cb72d613ca46c66c131cb7af6cf63361b368e53b3d3eb9c49cc1d206ef6f4d7c566515397df521a178180dfdc1e94b62f5a0b215e6a1da33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQQu.exe

Filesize
111KB

MD5
bfd56b0bcac48d326f831110eec605d3

SHA1
7af0855aca20faa631e38dd5df277dcb2b02f9ff

SHA256
c99507069441fafa713c58628a5531db3bb9169812a53118bcc4c357f1beb11f

SHA512
add0e10becc01b349aaedfe67fb8bbbdc7902f4852b190ba31f38cbb87fd2c11b099dbe4132a16134be19640bd3f2da0de56ec69096dccd9d692c5727882ea55

Download Submit
C:\Users\Admin\AppData\Local\Temp\CggO.exe

Filesize
367KB

MD5
47e7d6de40f71aa1c91c7f197dab4a72

SHA1
38a0dd3740ccd296d41f4d1e0b2976a555a178e6

SHA256
32c2cdd78e92609865ef162bbe27aa3ba1becd5adf7aee453bf508688d35b830

SHA512
a3d62c158b7f0221d329be941b3bcae6ee486cc624dab276e3deb12926fb6ac43505d11e17fc73aa0070687a7d2cf0cac120e901b642c23e5d89a520cec0f627

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMki.exe

Filesize
126KB

MD5
96eef701445fb6a2808bf1fd10c44826

SHA1
a12b9a9f163da1a08ab14ebcae9f505af0e5cbcf

SHA256
fff2f3befa0205b1912d19f9e53c6f139769bb221e3254372db06b3c9bad5f9c

SHA512
bc342ae1fe637747246aacbd04c60a259b68223b09e535edf36d9e859fa4488ad21e275cbfff8185778fe7acf9fc19b5a030d038110a98f1dac330fc05c55321

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcAq.exe

Filesize
115KB

MD5
55bd75430175dbfa8fb832df657494c2

SHA1
0b3d4dff48eaad18cd99d33ac6477834cf6280e6

SHA256
0388209c66292448794868eadd217b59c35843177a125ae3f58c96efc7e36ee1

SHA512
06dd56a7784dfa8d7694744d093132fe2028d1a4811613f12cc09ff02214d752b976403dd8550439668cf2e5c6533076e2edcbe9c33fb9222343fdec6e8906c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEQY.exe

Filesize
139KB

MD5
c14cda4a753658343579f40486ead537

SHA1
bb8cdf9dcc1eba2c28a96d825f428d80adb78fbf

SHA256
e7d4d97bb0ec7ea10686707e73b1ba0374c21a60a663e2498a2817ac706b41a2

SHA512
30d5d53f61e94e3fd64776f2ff938f0a972567398f151728fc99fa48b220d40f02dc6a18c950f364e1d75166de753ea2ee1dd47a62637a14f8ec9d024f5a6093

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQEe.exe

Filesize
113KB

MD5
b3ca8b5c4c6a0a50674c4cecdb138d50

SHA1
2aabf8fea4611d4202c213f2abb62fb2668622b5

SHA256
53c5baa8f9de5390a5d3f3ea8e91a01af36721271c52b67e5119b92dc838b5a0

SHA512
fba53c46e09f719ef014714edcacaf587c39a3825a8d1b441f41a3b12e92065aa608c59fbd9ab1f1815ab979f1479d76164e1272c575ca541d4fe3f7d0cc1aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYsY.exe

Filesize
110KB

MD5
3fdf764f5a20e6deb91d7b4592ad0d3c

SHA1
c00b9ea0ddb2639011be2a2239b3746c97cbdd69

SHA256
1ebbf3d5a0fcae27865260a0a7eadff2e2c9db9924f0972f79ad7be171e4ce81

SHA512
0efb435483e3dbeae1ac84489fa462848cfdeda5c9c8f8c8600a84a4601d1806a19cf4786a00b9d3ee07b710d13b67dfcea277dbd407b388989b2df1e6ded933

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQG.exe

Filesize
153KB

MD5
08a725abadd3f1ce4badeb6e908e739f

SHA1
bdc075634a54156c01d9e327e928e5b654ed91ea

SHA256
0cec90f6d1ed9ba47c40603d3977064ac02895bad9daf33ddc3ba3a43fa5ace0

SHA512
a29f156031d9af6337b5a454ac3d63d680f2983ca39ec92b29862078ef7d82bbad81ec155e21efdb82e2bdd8344e1d9ad6a068e9eb4551384d8b738e1fbb9fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAA.exe

Filesize
566KB

MD5
e0b95d7f88f75e881385be56e3b6a965

SHA1
a4417fcb6272aea2317a3a83860d1b01947a9acd

SHA256
bf6fff9795a58ac7e5b32e69e51005dabd2e20ce841c6566a0fd0044459d6a17

SHA512
e8cfca26891d093f95adfdd49b9c320e8bdc82b0b901f262636cd1a31ae766e7df37e61ab35560b4915b48ece2a034f5dcf5313647750e96abff06767164f6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYkQ.exe

Filesize
117KB

MD5
e1c0c3c89f498eb5e9e77ab3d5239d30

SHA1
cc64e622ed529a05cd7adea2914f470d68e95e9d

SHA256
50cf09379361bc8b5f730d445ffb825e24c1239720d7c842a9cf7a523ea1953e

SHA512
6469b9721b3aab1be157fb1a3ab14f40a5f48f48c74acc011e04291dcbdad552aa72c6ad8d79a1da1fc3253f4e3846f459d46ca4e67ad526059d44233adc1699

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsYe.exe

Filesize
112KB

MD5
1e35b139ca03c47e1e510bd1a19fe9ed

SHA1
54642b892d53ba49599244887ff8a94fbbed56a5

SHA256
b2113a98a11d11c1a10e9d8a767b01a78a6cab10a540449c9746e5601764636c

SHA512
97199776d8de6ddce8ad2fc43d2158f624d006ca850aee8733da5a95915d661831988a3249794b430fac01d36e128618e52de2c5e326d2dd36db1aa2967f3540

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwws.exe

Filesize
894KB

MD5
554e4a96e3ae138bbe2c4d48d9358992

SHA1
3e2f6831848c5d70b0495cef1bf9ec2f91bdce26

SHA256
efa3d91309190b1658fd037efe333980b20ac721a0312aa92d11514c0946ac4f

SHA512
63efd4a7ab0a5d9eb0247876016270bfc0a369823c66b0b627f3702894b86778fcadc9a923834765d7df0e57fc6d21afc7b633342896dc217b5d5048c5ae39dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gosg.exe

Filesize
111KB

MD5
9daed03d78e744534ecf6d6208cf4e70

SHA1
fdf6abe999179cfadfd24cc4c336538adbc5e7e2

SHA256
505bd4f638914ede33825fedfff51e932d26bcd60598994f1a011ce1f2c5638f

SHA512
1eb598bc42de4e7c4372509feae5df35b842dc6e7a61406f093e3f3577288a9eedd8e66d21d362ed09970bf597b138f49261cd955bf3824b68a4e00e213ba06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEYG.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoQg.exe

Filesize
111KB

MD5
fcaff89acbd014aff798e64514aafa6b

SHA1
45b00f9cef2d3152ea1e4735954429a53177c0b1

SHA256
e5fcb86c4bd1daceebfc791bf9a94a6dfed8f8e46c6b8a5d759afb8656c73018

SHA512
6b610e7e02692aeb670a8c4351f8b52c67b9e8f3898c567aa537eb7b832ef65d45d65f7201dd3380832214aa25b9e55ffa85d105b269267cf17ad79752719c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEEa.exe

Filesize
720KB

MD5
979930041cbe2e990cbd1add3ed5e490

SHA1
96a35d0ea02269ec924562bd73068b68088f612c

SHA256
2f11f2fb1c42fe080e2f40e1a24128440e851d7f5e28b7bbad6766bb5ee22293

SHA512
000c368489a3e21431495e6782787d63f0d8b35c99284718150ff86aeb5bd11c454c34b66995612752968ec8536a30a6eefc21d4ce871d20ae57c9884e6f810d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcMy.exe

Filesize
113KB

MD5
09ef402550541ff9edfbb16c6e63a7a9

SHA1
b3733d954f4dfe6b7c452793dd369a0cb4794f2d

SHA256
ba9aa9e55b467dfd51d2564d25f900cb021640e0e8da8eaa240da0beb2dbee4e

SHA512
37918b346fa73ef6351ddfddc83fead0185efde28090a2493e02de8a4661f01a7d1313dc96cdaab16c7878e90135cbcb537d11b0286939b20aa6a2af5b650e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcUA.exe

Filesize
115KB

MD5
8d3d4e2615b96faa80c93d08d9ff15bb

SHA1
a5c3c7c9a9a973713bbb826fd2f3c7f6b2dbe91c

SHA256
982334388f3b19977d0f392da1002cb503f7732b16770149869ee201b44e492e

SHA512
7e08b02e62570ffb8829cc5a360f0b03e2d20028813d8efc56d25458ddaf93daf42066e3a3caba5b6df8e628f9592c3673cd2d7090b49c5f96c10fba62b528b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkEi.exe

Filesize
121KB

MD5
6e64397b69c075b2dcc7e712307a624b

SHA1
8073f05ab8487dfa959209ca29ea3722eee69f0a

SHA256
68fab17534ba2a43638903f9292d061342fe5951f13d863424ea1b348112ee25

SHA512
fde0b22f128322165382fa258f4858a02c3e85ecbb94f280a190763c4c590cd58bd82f6bad93e73a82922d288b61db2ceb932f81a833d92e77389d348c8ed8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\McMi.exe

Filesize
349KB

MD5
c6313922e8e1b3bbaa0f4b98af7871b9

SHA1
df5c3972b6d65bb6bb4a2fa9195242ac8177315c

SHA256
436a1cdc80fd98189d879dd6ef7152d3e3eb1cba57f8286aacabf5d484fec2be

SHA512
d27c4e8469dde726fdd3a17f19ca5b9446263271aba9201f0546735d2ea8488a265aa83f6028175485c1dc38403c550e32f669ba7a131635a7c52aafeb51cb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIkI.exe

Filesize
111KB

MD5
efe5cababd0555d0d21f24e48c8e3389

SHA1
72ef4035bef6f0e5d49fa6e772791cd200c21a8a

SHA256
ac94047a4c93fa143a8894680a081402c8feca709c773f2e596e8b62b24fffa8

SHA512
4c1c83cde62c4bf03a3d908282bfd4d66ac8e508ac9546d68a01558c6de57f32ab6be75f914371d70c62fec7a476881d4b08b885e25bb58e66a0236c8e5f2497

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMEi.exe

Filesize
109KB

MD5
35d2bc6c4d95cc69a8e24f513e400cc2

SHA1
0fa2dd0f003fc29b160683300dbe1bdeaae5b5bd

SHA256
0d1f49e63ad90abf102cfc3391b386b0d42843803943a861e6f202187d97e1c2

SHA512
0f08a31ebb20139b99f212d5a364d536315818922b9d36a1d772171b50dcedf1eacc5462e80caecc0175efeb1b3679d138cb2482daef6f72d0d2f71d5c959f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMgY.exe

Filesize
136KB

MD5
4a60f3aa282c5bb1428fb18e52111ddb

SHA1
a4fd77faee0d91d903e7a8abbc40c0182b371bea

SHA256
8eda5b35c122342e3f156eab1d09d09baad811cdc2fe795500d4e18d33b3011a

SHA512
055c070a9f31472fa5e77b36af7ed89ec5b48f656624b4eeaae1b87c35be900eaf7eb1597c1579f7a5b3b60056280b6c895409b373d8d843fd013015d609566c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUoq.exe

Filesize
5.8MB

MD5
904c05060b0a56f9241e9d9162a4a49e

SHA1
4dea01889432a53c2fa41e5c38ad2862a3314424

SHA256
ded5e4e93cfb4ae7809a264876f230be40a213bc8cba841a6571703c4f28cce7

SHA512
2b6c12a88b6536eabc1fe5d44685660aa05e2e646387fd620747c26237e3a84037321e0b44c283338b48cbfa5ef26ae79ccde188ec277a445daedbd5ed9367e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkQW.exe

Filesize
111KB

MD5
b48d9f101b1665251e38ad59861d47d8

SHA1
dc0512d5de1650b8a2164d42a8cec056e2e3148d

SHA256
c905ba121beb30f5d157cf4b07554797925c50e9836c769bd696892a4099ff97

SHA512
e2b04bf14b9883be9245f2c3b5a1bb9765450b16ff93fe9eb8ac3a45825b1417c97a71e9057bfa6d4b634291d447a4ab25073d9442d01f561cc07bb1b2024fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAsM.exe

Filesize
111KB

MD5
75377e7bc05e43929d2cf1122d93ea72

SHA1
067a80e896ce881a48b770e1bfc1db0d4256e98e

SHA256
2e524a7729eca80de7e8f4854a53b71831ac42959bf6c851954552414c809d24

SHA512
3723e0e233f8a39c7f0136c115cfdbb5530910ecb7c926b0c043cbe5ca3c78edbb1e92f403b2755b297bc756a0350bc9c81706ab49d57f43b247441574ed8275

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkY.exe

Filesize
112KB

MD5
af3ba840d320cee8c797747638215a6f

SHA1
25ae1b02ac9c046f6152149b591fe22ec12f978e

SHA256
b4eee5cd4a9057f7261f5c263384d26214d20d2d5ef7a38fbc5e8f0a9072c1ba

SHA512
69c288df7eb4a7efdb763e1898b4c49bca67a42cc15b86f950ea7bcacfc9c4dd37292ae5b380a10578acae94333fa3c373c44267316da17d76cb96bdb9828080

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcAQ.exe

Filesize
119KB

MD5
8b7f402603d0f5a9b2ba68e3452bad18

SHA1
0b4a7ffcd41a570b24480bcec647e7b4da168167

SHA256
685e2593cbfe4a6eb06a7932cf7983209cf1823712829b144a26409217783b13

SHA512
e52d9312dc4edf44580a2f9ec02a6e43d27e130766ddc3497d93e079222e25c1f8fd1fa983acdd87d2cf6872db9e5ffe3550eac6f818d827bb5303a35312ee0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkQY.exe

Filesize
118KB

MD5
e62a90126104c9eeb3a30357270e3da8

SHA1
1db03e5c9e25a472e158f858f20ff157f4d3b8cc

SHA256
e9127c9d5e17dd7916f569ac15619739a3b3f0d8c4d446aa00b44f926e617100

SHA512
7d8db3d882eed2aecb7299d9d5b6de8b0c66dd9acd83334b96e9dafea43d0c32a87064289bd7195c48bc5ebf9ac5dc44dedf78286de71cd8eaaa342921308821

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkoK.exe

Filesize
114KB

MD5
a1cd17b1f0d9c1e54a6084c161392b5c

SHA1
98499bf7905d7b2471088673809d31bd184d9b34

SHA256
b3c11782a8ebe26699abc09b4077f7b2de400ff10de7506f8df85ba899af49c8

SHA512
e1960643a045a291744270b1587b8554f1bb652f5d6c512954c7d9092d4ebf3a6e66fad7993894168e2108ae149428886149c5fbc206e5b6496f89206f72632e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoYE.exe

Filesize
121KB

MD5
710d0a7a825d6d6ff43eab31184e4866

SHA1
8ce94afd9fae93c5a91690b594820a79e4090a2e

SHA256
d758f94fe35ae4dcee25d0950f5cdfb26c7ae18e68766f33bc9df0bbcc016101

SHA512
5c2d5231b6b636c4011b28abae1ec6e8c766bce4ab01e7a5ede54daa7ee77ac4297ae890e7b59aa5baa182dda049e0fedaa46b64aa5e7a73531c7945637c657a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAMA.exe

Filesize
237KB

MD5
27f0c7a48485a4934759ba2b8dc08ebf

SHA1
d420f8b3ec0c4da9b4be047cbe0f606e9315710b

SHA256
14da680f2ee5c77eec4848ae4eb9be49c95815abe8e0f53df83a6d04af9678ba

SHA512
c76a258f1b57af75023057499a11e44497e6e36caee018698445654110df2bc6be78982f5acc08b4dc98a752b97646f989558859e78282968daf1cf1fd4c54ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEQk.exe

Filesize
111KB

MD5
86721958c685a33a3b5761944b56b952

SHA1
57bcb0f1b84ace06378856c59704078efe4a9678

SHA256
bfb075d05c258ea860640a88651972a2c7480da40d43b317c01c8d118fc95064

SHA512
a43d1944aa7e8715049de0fd13198de07425a84981ad040ff6c46cb8b16b2b58e8cb5276cb45faceb091954290c018b7e46cbadaec79064b401b88c7d76fca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIMA.exe

Filesize
112KB

MD5
aa3abe5f68adb42940e8c54b6ca6271f

SHA1
c95518078d08a7e031e0ab9904d2d27b9a99811b

SHA256
6b145b3e469bd88c80a7ee03070653852aa600cdd2bb4e748cce007eb67ddf6c

SHA512
4cd97e5c315c2314ddd0bc7a97b801c2c148c7f81a47603c3eea7237da9a10fdcc295beec8d60b0b2fc4065527efdd5b23b335c22780a0a64176d4c4237cab8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIoa.exe

Filesize
112KB

MD5
bfa58687cf00c049372630625c63609d

SHA1
c60dd97a75667e3722db6c091821540f39e51d10

SHA256
49ace99f0a96cfa2f90d8f45e4127711cd1e7d6f7660bfd686af461e768304af

SHA512
e0136b1fb00fabdebf70131bad51124edceb87122341642a061a780eacd984476c23071ee35cc6528010d2a42f36c0c9e4022d8ee585674df4cc9de3766f827a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQgS.exe

Filesize
681KB

MD5
af7970452e36bd8ae58669bccde78e05

SHA1
35f56bc157793dc1c6c6494abc1207fab8334e45

SHA256
cb3a9bcf6e05be7d9e62ba4ee2361bfcbee441c07f3bc3102c6eb47376b2c069

SHA512
767ba4b791ce1be271abde15250b8e2dceb4da4f63b863806d636e1e70c63a382ca51c0c18ccec85cf895bf43235bf05ddf38b7f5f16e5ee3c9fc84bc92e2069

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAQK.exe

Filesize
698KB

MD5
fd4e59940f19c65132c490e5e80a8929

SHA1
dfb784647be8a1aab7469840354a97cae69bdc95

SHA256
4cab0beece242dfd64bd56e9c899723eacb5aad769251faf7ce974baa64949ee

SHA512
153aec7a631e3033fd4054dfaa593c8410932456fbdb5273dc229448c50e5848e61f17a22573a57e4f78c4bf502768cd252527550b5e723c38c8524cb46b46dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUAi.exe

Filesize
111KB

MD5
2bd3581a95e548408ea4b87ab9ab82aa

SHA1
486ce0e75cee379ddd15d545a3b0d7eb637a3bcb

SHA256
b35dd0fa56debc9f181a94ceee7a3d77c97408f7493ec3309b897621e41b1bb5

SHA512
4d16a52d5cdb3c7baeec7fe432cd27cb3fab7462ba52969be2f5ddcaa88a00b36a326a2844ebe0b28c1d1518a552b36d63fb34dbc1a3766ed1794e8509b04c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rsgo.exe

Filesize
112KB

MD5
2f3232c947429f5357a51e073d839b83

SHA1
c88abe83f416fa921c00ad35ac4d273342ac5541

SHA256
b7a99ff604271acb569932834325597987a7cf5db6ec86f3f7367fe47bd6c15c

SHA512
68baefc26f68ec4e05ffdd1edc626e866f4c656dbcca5a3c29739f04060cc2f63a51c941a74abfe4f1f36beed2fe975ab3e835e769be3c8879a61397a45b8af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQcK.exe

Filesize
722KB

MD5
5b8299acb6d78918c6ced7a82ea2567a

SHA1
401a51bd8dfbf4dfcf14635e5aa4f40bea672c5d

SHA256
981f25ede093a6e5db8c490304e7f5e8223d4de7f5baf6f797a06e4432b14fa5

SHA512
04cab5c8a8e53d4e728df046dccb3339d1c33ada9aa30e95dd354510f608d73b2a5053272000c2507e041c2ce1649c2902baa89c17c9ed6c7e0214014f9f49fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUm.exe

Filesize
238KB

MD5
17ce60e83bb5fb662063200b98b7bffd

SHA1
05f52ea45b7ebfc636f4fb078e35c85f96122514

SHA256
483fbd05a0a509d7cd8e33d0dd7556e27718b24667bd1512ab64dd5dd4e5b852

SHA512
33b4353c570d502297efd7ec20c62e47fc21ea1d19cb6587e6f8297c7d3add7eb351eccf5fa1adf5717eed9fb2c8329b4fa6174f4ecf07d73066fadc8c7bd70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMQg.exe

Filesize
5.8MB

MD5
ec339b21cd30b8045ed4e19f8b0dddfa

SHA1
e4cde04f2426eba5f5bf0eede150215c24a62ae5

SHA256
05ad5e85bc31966808f5de4fd387a9be82f786425a33db672a2543719c5c3784

SHA512
afce583dcd7aebb87dbc3af1a7e757af215dfec7b50461dae5292fec4f9b7bff4a6d11905ceba230f2248d5cee44db6a745d06781d2050045dd158e331262dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMAm.exe

Filesize
110KB

MD5
38e6fca40313d56d364cf9e4bf8cecf9

SHA1
2d583ea6c739c502bba83c7cd3659a54486a2222

SHA256
5764e7de0293e92bec436e34548b5f99f90499984fc9dc1f735f78e037bc0cd9

SHA512
54ad728efb9c71834e283f5d8e02cc0aa14ecc78b4e89534ae6956f00c4d67cb23326a073f24e47bbabdd4bfebfef1643035f2e0acf043870e37ceda9987471a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIYM.exe

Filesize
155KB

MD5
dd543c23b76b6038e7e0e266129a21c5

SHA1
c9889e7a45d0ceda8b1b4433551ddd1de9f9d930

SHA256
1c1242f7fe17dfc7745f50e4bc204e80f17ef0b165fee10b81d38d9559999256

SHA512
e3492ed7d7df6853332db00b1c0f2d79b1d5f06291a621483c919b3a9ccdba723221ecd33efe1dc91013994883e49a733ef4122d2e3ec107eb26e913f1987bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgMo.exe

Filesize
114KB

MD5
4537d2402bab7be690ae52440a8c0d69

SHA1
e8d2d1f14a10920abdf7f178cef044433c6884b3

SHA256
ef7a0f3cea856257f3ec907f80491540d6d0e044bd8dbbb0abc71d84a728d523

SHA512
05969948c9c36b33d550e0db89f64ad8a4c9fdc0f9eabb6b2dd44b9e89f98ae1a785cee0a37ed580f42956ec03e849054db7f432d1639a746d09d115111a97cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsEO.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkgW.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAwS.exe

Filesize
237KB

MD5
1e80a963bb113dbc50a3c97f61b51f3b

SHA1
fba574a14ae7acd522bab4791e9cd99bf1670def

SHA256
739d861553efc64bba74d2cd030297fa1ca81752978bbd552e4b7bc5b5bc81e5

SHA512
0cb40098ee2a115dc1e213d0d98a201fdd48e34224b653bd310a1db3b0d2ac9aaf0be365878f9aeb1c4379c63f49fda615cef6eae9f8ec52df716135df05225d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMYu.exe

Filesize
125KB

MD5
b30ff8d9f9c3be2f66fb2488029c0ae4

SHA1
dee1f8c663c12ac02137dc964a98b353f42db5df

SHA256
9ca2d8397389d8a0c60c45e9ed8ea0c414c331b300a0f3cad376fbc0f56c6b50

SHA512
6ffb8ca3544a0195ca06d7806cff701b6c1c4ebc897ae47b28f5e8eb12c2e63bd89d02a600ce68cefc180fcfe50f7cede0bab7efc33cfdb2a445dd77b06e47a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUoa.exe

Filesize
744KB

MD5
82e8a24bd2a43f7cb5f0c9b65c0c0acb

SHA1
38be79dc735c7e1e82dd60975781779b43a97737

SHA256
825f69507c30c5312f7fc905590c4bc574220e2316707fe88740fbb953122ea6

SHA512
e43adbef57b4f556fbc6868f4290574df0810648607d9636d300c8f07707ab786626e6e3eca17198342d09d4db830de39ffdac17396d32bbf178cd79c45b2a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUsG.exe

Filesize
434KB

MD5
d983ae87b558efdc18dc509760d078b3

SHA1
5e1108aa1a22840307c5e62ec26ca33c7a8f78bf

SHA256
a72f055a3b94858ab7088e5946f842e7830fdbf25420e35bce7293096361c933

SHA512
5ff9d4f70924295a6f84d961883360f92b5b29189d6f05b795b299a8016b6c6a01f8863d923c5a046feb79d8cef7ef0ce821b9e7f63cccf1edac3b6bacd4b078

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIcG.exe

Filesize
485KB

MD5
19aca9a696127e6a191d7235b99e0bca

SHA1
028c3e528a8e663de94aeef5898dcac9e0365c6c

SHA256
603e31baa689d2ca3014afdec1253b5f4947ba8f7c09090572a49681c8104563

SHA512
3ebe439dffd869634f2e63aabd7a3141710be526d120d583c8a092019c164333a81febf4c15352dedef0baa22a8ae7fca7642507ed1d8f1f8e62a8d3faf8ad55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZowI.exe

Filesize
284KB

MD5
30228af1084fb2ae2004517541197b0c

SHA1
bc53b9f3615e593524b1923b0707a7d1fbbdc0a2

SHA256
b3a7e54ce67324aa53ca0d9ad23619426f3795445ab96013bd5c9ecc6407b22a

SHA512
7907ffd9a88add2767d58c1447d6c47115a80929365b69000c97c4a086a9f55939a693f7a9bcf9095ddd08b334fc830b53bcc2847322a981517840d79d0b46eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsUO.exe

Filesize
5.8MB

MD5
6f3325078c805097fc0cf53382323f8d

SHA1
3b13277aa4c9ed44e61b1c795dde5f5ad07cb179

SHA256
c02926f7f25839b426b5183f23a36321253f42796ed4b831a0aea877badf5b53

SHA512
7f4fd3d44346806147bdd999172719b122714eecd5e551da3bcb65e17081dcf0135df1b85b125fefa2489349b4a834c194129baea8a58cfc4af7603bb75fd32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\akga.exe

Filesize
112KB

MD5
fd0b4c48f635a0c2ddc9779d7c360ac8

SHA1
fa32d1ec8808a27ea67ca7e53d327f727d7021f3

SHA256
b8e5273a99193bca1216c717278d55cd368b6b85c4028947eaea55bfb9e9a02b

SHA512
c1ae4abdb67ed879d674b2d12cf116fa74fac0a41e5770b505cc18af5c306053e7108013815f038c431ed391e6c71f025d6f3bc8fa334bc6c4826f40730e26a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIsU.exe

Filesize
111KB

MD5
284b03f2e344ca381a520a89a427b052

SHA1
ab1b3d0d17d6d694ea1edc0f2d2d8db72271845b

SHA256
0f33c33607ddad60ae156adf3d638f2272915e6a688dcb22fd7a90f044989af9

SHA512
1c187df937aafcff4c97dbb5656314f4356f03777f331129ec1d5e82410167ac00884c8cabf6a8e21d4035b5861259b085eee70a4b8b28db4e25db68c7c17a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcgg.exe

Filesize
149KB

MD5
c00551c7649dff6d80d7c289fe4e5e66

SHA1
df53d67bb1ea31fd1fd21f7343020bfa624ca451

SHA256
8f49eccff04b3c787326d6a1cd3904878a31a6551065520cb98000b5ee46e3b9

SHA512
1a92eba290ba4dff12d0151465f87e27ca0b383754a6373c434292e92f974ed604851bed96746ab46147c13a13cc04fd180dea116136b05fc22f7390e07cd270

Download Submit
C:\Users\Admin\AppData\Local\Temp\bogY.exe

Filesize
833KB

MD5
cee2a5075a89a6d604c1c602bb3a9f80

SHA1
28ad23c8746624a83d776f1b3477fbef9d6ce3fd

SHA256
72e1004585c2b1a055eea7b6ca02deaa02200cb1edbfe9fcdf1c9a6b3419c668

SHA512
4d8861471b36e62edde5bf3be3bf8da97c58a63ffff440b5ff76efbc2c56ae64a7a7b3274a9e2344fe0fd52f81fc56fa856ade6eaa51a203164b236d95277293

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEEW.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccEo.exe

Filesize
112KB

MD5
bc079f589a0cc56331e404bcd1afb589

SHA1
56b08cdb4a4406ca403c08e9cd8af6773b16bd90

SHA256
87ce17537cbb47b0eb394cc1016aa4ced0e63a8cc541721cad0529171d5392be

SHA512
288680c6fd545350b4085f1597d3e37a8066b72e97f8729384483f22a9b784b893eb3fb329aa1e5d355e21b78e6373a36f05d1d837e93487ce7ec0c712cd8b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAQa.exe

Filesize
113KB

MD5
afdf694a4ea84ff2c52992226efcc7c9

SHA1
a87622202a1f8b86b0124127dcbc6c3205c656cd

SHA256
818c130fae77cbd3a8da0cce6eb5f88ccb26a8a587650cc15fe576719d052157

SHA512
77cf833593b796d7cca7c482b522ab4df801e19b8aca7c1c6df5a595aaec366a3f3acec164a57b6cd8d4eb181f196c998558b96a2094660eb701e52c59582d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAYg.exe

Filesize
1.7MB

MD5
a6dd692e29155aabb74e186a3edd65f9

SHA1
cc4a8f8ff436629b912cd11f4b4a3ccd755ecbc8

SHA256
3e320ba58d08b90edcf214c8aeaa26511bee69a027d80489427f62d875262137

SHA512
19d7e5cb2440da9ad95dc9e88fe90a86fb78b9a13e9113b48f177dfed17def8dec2b54dbf14955dde556385422ffd5e165350982254d26835b564d0d9c18e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIsm.exe

Filesize
1.5MB

MD5
5eb61494be41cfa8f3930168c1911521

SHA1
31d4d2479ea9f5b6573193cac05ff40d2ac3e3cb

SHA256
31ff4239422a899cb8bd4814f9194b9e819d91219bcdb77482268db1658d15c5

SHA512
2236e348792b451dfb19b8ad1c5e6a62196d7ce672b8bf6b674b00eba33ab951961511d38f354ac75d8b55b1f4eeab37090cad32f251887e961eba2fba4e422f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgsS.exe

Filesize
763KB

MD5
ef67991bbe77d0c327e16395fadbdea6

SHA1
ac831ee8784395f27ddca6ae89132f09681d5faf

SHA256
5900c923b4a8bae174802b70c4105c9e5705c69e3a5a2bee03e7092743051bdc

SHA512
0a0b2302d2b2de6249070c57e7904135a7c1dd1891cd7daf0eeabb1a5da74c7174860a6a9e1cbd120fbd48b6fc6ae4694f6facb8598584866e484ea40318b014

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsMW.exe

Filesize
642KB

MD5
3dc7106953d4ffabe8442ea5f82aed05

SHA1
1f67a7c4718ab372ab2a9dd806af53685d8b0e04

SHA256
6e96f7c04eba3d9fde585866f3ffb8f3d7869f6d01c2390455256e45910b62e1

SHA512
0e5baa408ff000df672d0c1db4505ef1a95230f5c94f77244347440070a01c50ce02513a2081aae1694133ca9b3b548d58aee8f44b5a092c81c207575488e215

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwIi.exe

Filesize
672KB

MD5
94e32b41b137b24d8553a2da05d2c9ba

SHA1
859e9287f649f5ce53dd454d2bcce08ec079880f

SHA256
b7bf126446ab221b77db8f1e9dbf65d05c6ebaeaf402bf42a899a67a16103a68

SHA512
208cb226900f6ccecf32c0abe8549a8c312aad1277c3e422d214a14b0aa6fa5f3de05da14ef922997133c0116845404bcc1904814111fcc4362c27b18658144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIgS.exe

Filesize
113KB

MD5
aa50bc9d62dfd838486d87a7d26d4fd9

SHA1
59504a84fce2fa8d1b0a3ffbd8af350031dec29c

SHA256
aa048e22db98a75180e9eab8bb4de6a0f5fdfac0abc4d895dd602b7166da6c71

SHA512
ddd0780b2cf05bd3bba30cff8ffd9a3033e9fc138ce201adfd38b832ec0d921ad09121b3de0909bea24a3c56bbca729277c5ef82236e903d1598a10bd2550926

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMw.exe

Filesize
117KB

MD5
4f5701e5c6655790ef870bba60927791

SHA1
89822d6e50375179b72c271c2505bd768c74175c

SHA256
0ac1b1b5454ea5fe8196d94659cfe17b8710ac20f9d44a6d41c8a328e9c90b31

SHA512
bd4def8778cba2e14ae154a8da29b7d0e344b28be8fa4915588a66f930d409cd867e159c7ef67c2da2205033996a3b488514ec3d911100582c1bd31eee9ae056

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQG.exe

Filesize
112KB

MD5
b06928089925160e7e6e980c3f11f8a0

SHA1
dc00a9e21f1759bb1d75d388a639b0e369f2ced7

SHA256
110daa1af573cc20d9daeb48a74bc006fd32d77025213862fb81c360b7e2ba79

SHA512
982df4bb3533c16bc7ff9148e0a1887af4253897388758e60bfc0b79edd5ef4c9a991596864f7631c5ebd8480a08eb2eb5149ff1f5b9065e5bc7608109d95a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcMW.exe

Filesize
112KB

MD5
a59b59e2e4c349f5aba263a002f0629a

SHA1
7be35f55f714780bbdfc0b0d1a95a1f51c5a6036

SHA256
1cd6cb50fbe0ccc33cbdf5871f920cf6e8cd3defda91357792086d755f6c6b16

SHA512
c2d087d3b827953289b5ab3196567fad1f1e0f3680a788e2c8e2ff170f1c2c14dd1547a7d5876a6337b60c1882897a2486d68e63c3d8eac15e1f46062cd97bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMQM.exe

Filesize
114KB

MD5
3f449308a4e326e4425808ab24799892

SHA1
2f959288680429468b5e07699845df35474b35a8

SHA256
33b6f3772e39bd43ccd3f7aa98672cb860666d6e3ef8faab36e228dba5cac1c2

SHA512
90fc9c4cb1c3d053169d851fa433692fdc8bdf07291bc77edc3a3b2338c0e82257719541a65622d727cb7abea67591216dda3854629d2d1ad2816b4eaa7778c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\moIg.exe

Filesize
236KB

MD5
bba069efadc61a7c261b399aad011d5a

SHA1
c2914da1b9bb9c67e3279d2b0b5fe82c7d686732

SHA256
aa8e4e20b4a334c1cdc195563a8421ca5fa0a1d17dbdbd74587a47581e078d98

SHA512
665817759dc440bebb1a87963e1527e5ce3f1285ce3fba0931f4ad9bc6416ffc3d3a516d16b498272c6e5557d82a97b24ae1d204ed9ffe94df5f6af24453b38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIAC.exe

Filesize
112KB

MD5
c28ea7c08e453eef8bb36fef3a4350e4

SHA1
dc4652e3fd0bd398b9dda66d9f8afb5ff4747026

SHA256
cd9c4412177f7fe6d3f55f90cca1097777db9e51c04331d491e55be2247ce9d9

SHA512
2ede6a1c983401c8583f333c59ec9ee25b3a68e17d354fc6df916ed1ddea2a0a2bfcbfaca8477161f4e6e9c4250dabf5c44d21affa90b6e6cf80a440812626c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIky.exe

Filesize
113KB

MD5
f2953f056f51b85a421a6eef9a1d5e97

SHA1
4a14f2bc66e7d9f2bec1037c0eeebefd307c5f26

SHA256
6e9b8f26665ef308a95c2a673792ce190dd342e245d3ffbe71ce35019e56f07b

SHA512
8eb605378217731b1ddb8706ba185195b458e384c7b9fa7f8f61e0097218f3eb79f228b8177ff725b6b2686bba17dda1b88722348f754cc29caa864c6f6578b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMkQ.exe

Filesize
112KB

MD5
3d19b01e3466d8692be1b8792359f5a3

SHA1
2e84e60addd4037d0b574ab9ab7533f69d28c6d4

SHA256
ca1e71a9e0dd238fac7bc34e8a25d132e39f973aa90d1e60bb240a79eacdcb8f

SHA512
fa9d2c842eb1293bec5ad823d2925b8e49a5da4687a48eaa5519006027cb036f059aca85f887b79c656e8c37edb77501e47c03d2629a4cfdfe85b7dd958f2353

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQkoQUgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwkk.exe

Filesize
112KB

MD5
b1cdb73c212e35939a9e631679af64e3

SHA1
8524e5d5eabd647a6ea921238705c73b911c13b2

SHA256
259fcb9d3b004955881ba26d1b56af24ec5ab4320599b07f67ad59f7e90c0ebe

SHA512
70f305819ecb05ecb883fb5b2f57fc589b3810412dd95ecccfb0c3440cbc6b276cdd5ba2bb42dc49764698927d3718d078d9d36e780a4a13c267b4986f44fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEYg.exe

Filesize
138KB

MD5
6c9cbd8595531fef10bd42dbb820f153

SHA1
4348661575a3c06f60d674e942b50039170ad6e7

SHA256
4db45459c2c342fbc4c10e05f81362102e9a9b85ba7827dc1cd60e654597d1e6

SHA512
50029158e67b3ba96af25c48529dbc42d9040fcbe3f2f71b7a2fb5d0fd52dfb904cefdfa6f0479ae03d0ad26896086ffc249fd547b58a060d1a5a40e9175f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEY.exe

Filesize
567KB

MD5
ec9ffe9276a61b8c975613f866d44b2b

SHA1
2b75653a691d24b9d397d370ad538daee8c39024

SHA256
f8a851d3878e5171e2d0213ee0c2c7d78d8e84736a1a89bc2d05a5a59ce87697

SHA512
8062c78ba8d672f5a3898da797d6b2d919951c3a8b2eb4a9edf5acc9157033d31a27db4de6a373f349571359ac6d0639dc3a8116c2cf850eed83f598ce7e3068

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAoI.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgs.exe

Filesize
651KB

MD5
eba272531f4a2cdfecfc006aaf2942be

SHA1
a7d91ba42a349963a807f820cd985b5543bb30fa

SHA256
f07070ffae99d13c1cd60fe4155a6a79b3568dc24913f5176b885ad993de9146

SHA512
e4fe6be104b72f857667f8a9d67d1307ba4a2258de05ea115737fb429d50f80fd5dd60222e8e5f40f1cfd01c9001cc08bc6551baa73c5b742a5b33fbef508cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkw.exe

Filesize
111KB

MD5
5ccfe9048acefb91afa6b08a9903949b

SHA1
152a69a85132cd7eca15f30b3393a26f91b4ee38

SHA256
d1e0f687263b493a8c9991e93ba7cab4f7932d9d54170f97b262fa0565846fe9

SHA512
23cda56745aa2bb1877ac0ab571a31e0a8dd44e77ad2ca70a9330c7a1cb63096a3e197574af0aee2bdf1620cfc944165373f882edf6b3aa077d06c03375302c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sksm.exe

Filesize
110KB

MD5
b45f3371804bb656de3e580810f0ad48

SHA1
fdfc716292f5992d247e027016feccef950801a6

SHA256
5731157d3dc9df8f5ba1d1fef7a4bd004e2132c430b631f7c12a0cd9fe2774a1

SHA512
98375b8fc266314bd3e021287805f3af45852fc477c9a43e83313b7ad9c10b6d533c601382c60f899b424aaf279f84db011e1bca74401a4a03e631e9cb016ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMgC.exe

Filesize
4.2MB

MD5
14ed27a98ccef685045c7a63d50b1264

SHA1
d4a953ffbe8afd360ea6526959c855486898b967

SHA256
58a68e00d22d632b0145680c77e9ae87632a136a926001499fd7db4e7cc1fd33

SHA512
54fcc47a12cf65b82f34030537def653a36a1f0632185b5a04b27c84de53893b586778aa621261a5f50d07f308100f2033dc1c96ce5b469d5e2e6156a01c34b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkoy.exe

Filesize
832KB

MD5
76d6219999bb2ea94b1077de701bad42

SHA1
795d1e2cd9bc22cc2a4ce88a0c0d213708126cbf

SHA256
8dec587cd01f8d0fbdcab256607234b3eca20b5216d2d0ab76fa3b4ea1cf3d1b

SHA512
78375c4a42f7f66bc74271740ffc9e3db6f26ccbd1afe01fe5b86d7ecd0698702937a60e5648f572ce35635de58e344cdd020f2d990f61992fe3f2d3793ef7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\twMU.exe

Filesize
113KB

MD5
190e77493eec7d496dbdc4b421ddc0ca

SHA1
8a60fb86e3c07afe9c408ff6b858742a3f9dd391

SHA256
10e54c1ef6b5ff499d57f7dd199638453cc779a562d8c0fda727b8592b1619f2

SHA512
732d5c41820c9a352f8c3617a6197b5bc144171499ee2d210100bc94a979d1127fbb3a6f2f0cb7d80b0bbbec177b813b896078361c2958f6197506f85723bcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEMy.exe

Filesize
507KB

MD5
3f71213a3c93801c4a8699166f26f7dd

SHA1
6c0200cc0c907a3546e48f8328c62a2d848e03ae

SHA256
06aa36baeb86881d99156ac7e58b614dcc2417fc3f9a930824a3d6ca1acd75a5

SHA512
c6e7dfd262053ace57bbb4480f50ae4998a69490c4dc4577243aecc5c6a2547e4acf082d45e042c1ba742c68ea73e6666fac195c52b876515bdd5005b614a3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcs.exe

Filesize
110KB

MD5
f93956a158821b9c07239639afec0014

SHA1
63fe5b10dca9decf418d0bb62e7b23a0d9e4dcc2

SHA256
e8eabc818060bc25417f04a76e45e0cf9004505d9c71d09b2749f6452ab5423d

SHA512
db48c8ac164e09dc0ffb0be3d634cd6b2726a10796bce6dc50fb468598b1b6c8d1a561714677bd05dfe56ba1bb022a1163b65942a1556785c0f0a41a26206c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEgi.exe

Filesize
565KB

MD5
142f7fe7e39247e3af62a01bc67bd36f

SHA1
d08e939847e037b65d612f29ab497a38b85e9aee

SHA256
946aee9e5bdc028786771717b752f44733e6e222da2ab54dd9d0b9e048869d9f

SHA512
7ab8b30e61f1f4998d983edb51ebb7d2189217a9911c709105ceaaf1a497f346d775e2ff800276167ac249ca143d16d7128f6ef83250a449b22f22b281537009

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQok.exe

Filesize
140KB

MD5
8e4061c7d00321e1ce45bb434d5b9ff5

SHA1
0a8fc1bd120c93eb97fe7d1d673527a18ae32082

SHA256
b1f02e12df955de24243a569af224cfadc9d2ac436d096cc51fb0a1d586d5237

SHA512
faa1d58eb66af9e17814d7c086c5d538776b59d5fbe2eae1f951ca4a8cbb15a0b9b8df9bc909232e3e6f2ab2e4eb4b7124037063eb4220a17bc11e8a654f46ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIcS.exe

Filesize
110KB

MD5
1c835457f8b45f04eb9967c103603c6c

SHA1
7397d765571e4733f6009f55e81492d0c397915e

SHA256
8e467b48d15d304a647e10f138ab420f7e456cd751d2f1855533ed9a318dae80

SHA512
53bcc8413a34d1346575d626de71d7a9916c37fa4a80735af2c9a03d33f4db3edfa49e648861c5986b0c4be271412bfa585ceb8605a1fc679c705de32e243548

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYce.exe

Filesize
112KB

MD5
52d0f88e01009d9c3910f317ae3e1030

SHA1
c213e77d624512672a2e4308035852c5c6d67979

SHA256
fe275bb69726e75b9114a1658ed1344147ac6ee92e1f1629b046282d1ab4eb12

SHA512
f4341779be6b3e39180571e6aabe684ad5635ace1e640f5f223276f7c79f34a80983433b5a285c41eb4cd14e8348665ba5bc3d7e5fb7a57d0d93abdfc462a5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgsU.exe

Filesize
115KB

MD5
40cf6db379728fd04e7a3ecdf310e4ea

SHA1
457f21f70d12d2a96eb5b2c01bc830bc899f2b4f

SHA256
40b87cf64224d38bc9c529f5614e51f5e31e849bb3a8ebe6f39e051bd4d38456

SHA512
77d008319117625cffe7a1a2b25fb653464371ad16c24554cc7c41183b251758cd4cac79359e19e692431dea3a0fe8fdb4479ecfdeedddf28bb193bad1480a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAUS.exe

Filesize
5.2MB

MD5
7ebc538c8b23c715fcb1f2b3cc2c9f1a

SHA1
f16021358baad14277adaca9c281affcb197af12

SHA256
dc722be31a152e09cc3b7f52a98f6b6e4e70484c86c3bc451e3341824aa12fdc

SHA512
324cd5686224019f1da0b9a9c42b705215a9fd98f4ccb5a187c0603e3ef40fa380ae22a183112058ace4a6a038510da656beb0830ba4ea8583275aacc6f1d0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgUM.exe

Filesize
576KB

MD5
4eaf866d6e550300bcbdd96cf53df4b8

SHA1
0b2d58001f77f5a1a57026307e77fe17f599797b

SHA256
7d3b58c9951023f7666c0baf623f289ecb62494302857c1a0cc83d7039c299ef

SHA512
3554a885112263ca66ac87dd651a39f3a4fe23ae5280cbdad403fe42add6e695fddd059e9a8de9ff4bee047533c10fefec4706d7f96be06681f174c5a8cf31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogE.exe

Filesize
744KB

MD5
b09fe320a497909ea5e9d432e519211b

SHA1
8dd8b6547997d6617255874facd2663c7cf203fb

SHA256
63082c845591c676f0f35499ff5b58bf0583e28a4feaa1ccabbf4ba6ae21425a

SHA512
08f78d0ad8b10e739f553920debfd0e1499a4c6da5fc2fb40a1bf52543c129594604f64682dfc961a7165e03e3b3a725a47069aab9338991af23e5b9c41a00c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQW.exe

Filesize
116KB

MD5
2572f320b9ead2a593cb6c12d8b49eb6

SHA1
7cd2ce442ece62790fb3737bd04867df9d49e0e7

SHA256
dacb0f5869ada6c76c86c6ac740a94e1367664f85ddf0b59fa5114a3585cab4f

SHA512
de5d8a6163a18349de4300c10a5c4a2439b5d61054bcd731d970962d4cf1414805d9a51779d95669a9655307804bc52bc1d04873be9352350e5b9dbf22f2cc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAEE.exe

Filesize
113KB

MD5
650c892870af96b78425d79b7b0c1bab

SHA1
542de95de21b6e183d9d5ac3fc595876cf75ff2b

SHA256
6df8ceefb02d7bbf21f4fe9226e5117fd9e177e774e14fa69ab463b944fab247

SHA512
205f4714596c9596c84dbb43074d2459f92b987d70b43e8c9c1c6b16b7e692c04734571b2fc1a75498da97fbecbaa3b6beec01768d8bb30a211465b0607cc8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMQY.exe

Filesize
114KB

MD5
c80f0142389d0036b6ef684fb2081d6e

SHA1
1e5f1de6cf4641060e2d8634e8bfddeea1510427

SHA256
aa0aee6f4dace51cb8a46ac80ea09c9a882bd42ae3765aa92bb97868a80b5b47

SHA512
f18eac0dadb5a8b5f1157d45c84f5c281c5317603217c0195358e1ddd90ed8c488e6d3a8d11c2f00e13f95b87e21ff16b3eb90401a701d236a2d6485760d9d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUsO.exe

Filesize
116KB

MD5
e89331f4e9cdb10e3dbf23d7e62e4827

SHA1
6174c3f6770ff4e7452423cc8a7d18361336534c

SHA256
3a54d354d675272f9d8e3d87864a898ccabcb67f70cf6679e749c6d66b92e5c7

SHA512
ba559e921cda68976203ee28011c5a304cdab22dcfe5ba89f4edd1b7b9fdca0d3ebf96007abf915c86c8dad75e5d1a55e813bf71f55fe48c0eb4be363d5ddd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgoK.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkMo.exe

Filesize
554KB

MD5
10a4de6927af687fb7f4b21ce129581d

SHA1
b259f7a8ef6ae1ba7bad2974c3c0f9ee721603b5

SHA256
e5544d60b20d72ae41337a6bb938944ede4330181ee2c8d242bac096434a4250

SHA512
54530f57611177316ae792595403cf35753127205afeedc255c7e55772f85c92bc3ba65ec36f6cce93000a48bc2283993b1992779572c00d0d50eac763a65c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\xosg.exe

Filesize
233KB

MD5
bb9d731a5a19a1869714a33240be7289

SHA1
80375321e1f6c80c7cce2c1f12b65610cfa22e3e

SHA256
ca1d6f422aa158981db0c122b5ebe0b66170ebc0649874c945077e29654fea8e

SHA512
aeb366d85ebdcba115b822963715e17c43601751b4225f06236d0904073bf9e30fc938119c6cd56b6266ac68741cd0acf5790a6efac159f30c471d1e22833554

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwsy.exe

Filesize
110KB

MD5
907c524e964bce92fddd3488acd254e2

SHA1
d6139e2c90c8269b983208b7d1574f6d687b9057

SHA256
a9b1e9698b13961dc04015344f2fc9f5a5347ee50d421a7f09040c3f0dbff990

SHA512
d591d94da5f43118d226e43a03c14d75fbd73c5dcb81da483e9085bc4a6336f95cf294f9f17006040501198794ca73cec61045cfdcccba6027c149340647e6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygMc.exe

Filesize
110KB

MD5
8585ff130e1ce495f9a72fcfc3eefc53

SHA1
1ef3b129db923b56a4da40c763b1df29e333805b

SHA256
1c279add2b702317a0fe381e6e73f6e46eb11764e10e9bc67dd7a338af7673df

SHA512
6d0af0e59802f7b632bda77e90ab786698050da696cf9f69aafeefaae34a76bda3f2d8e1eae1fe2da4d7533f65c9ef919e1e6bf2f11ca066e6c799aa8afd429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEIa.exe

Filesize
5.8MB

MD5
e82bb4b79d69389b7f5629db5b84a79f

SHA1
4e17c619b989a6b4bc28f6ec1c4b83a404c0b1e5

SHA256
374810a633191a2735508b461d17bd09d76dbcd3ec77ceb8c83607e8392ee57b

SHA512
5bfc76c06a9cbfa4c3e7e5a7fc1ed1f9b0938b0e14c3300c18a6616241093a4a536a4491ed5136d6f9ef7d0a0dfb3a4399cc8028b6b9ef9dd14a7afaa94a38cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEIy.exe

Filesize
112KB

MD5
0d0596f38158db2ff95e6cb69b8a6f2b

SHA1
dfd5fb14df6eadef6486d30b9f8628035d89cfaf

SHA256
0ad509210c9f5be6fbe2776a68f76d8749d9b15925bd250ece9c01ebdef55f2f

SHA512
86a50d2dceb015e9b5500ffbe59f159624c954d8c497746ee7f117e4548f08ff2d4b5eb3a9633c49839f92197b73dd0c289c0a21a517426da4f55d37c9c9a6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYEM.exe

Filesize
117KB

MD5
934233f485b6402a07b381ef92d0898c

SHA1
780b96312075f337f4652486e494038108e788c2

SHA256
1193420e8d35607e2de54c29f8a688cb8e6dc6ddbb8ac475158a898de1bbd58c

SHA512
5ad5bdf5e331bcb2fbdf184491fed3eaa36a777d7c59b3498ba44a2bca27bf3cc8ccf50f1e7cba5dd722e8022e76ba88cd00d3372455bdf44a20537b12b012d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgkU.exe

Filesize
472KB

MD5
b846632fdd804573d6577e3f7d1bc6e3

SHA1
d1e8fcbbb5c53f4d4cf64644457a476368dee824

SHA256
3eba369bab056f699110025b6dd96606f4dc59c6a0cb99a4cbdde844729b6a30

SHA512
d5bc0f0b50e22994f51bd9c40adae7ef0c10e29ff87a832f19dc75027248fdd201270a71f991f2389625a036cb88cad8ad86e14e6f743b0899197983fb340e34

Download Submit
C:\Users\Admin\BcAIcYwc\oEUEYQoQ.exe

Filesize
111KB

MD5
d71809606e72c5f75132430c77f84f1d

SHA1
bc7fc6cf69aea454dc5181289b4e7978e2acd28f

SHA256
23af2d6ce364e8a79f5b4a2277447916636faaf03fcb41a01fa96597421217be

SHA512
997a28ec51498d00b925d7bdd7f78d48e4e8eccb4e296779bfb3920b4e47adfc7f20ea3ac680aeff33629daa2dc971264c026a90aa863496a84799d31bf2f1d1

Download Submit
C:\Users\Admin\Music\DisablePop.wma.exe

Filesize
342KB

MD5
49062804c32db354e262dad85633d502

SHA1
2a3c84e117775695643e4f7705e24861b21e020f

SHA256
b2db29db87483da82aef5453b197044f5ed6888e4cefdea547e6d0d617e73e4f

SHA512
ab1bb11ce7178aa7ed5ed08d3d10dc0409b2de88f02b2340d0fe77610cb57b59b948fda69c6a9dac1b1dd557b08ddc2d1afadeb7b800fa5e0be87be9b6fea5cd

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
4.2MB

MD5
643b4ccf4f12a4bf3eb6e303abff6d33

SHA1
863e5a719f4ed1e53c42c46b6a935d54ee15cc7f

SHA256
e1b8b361be56c784d7ff76eed6c8e951ed7bdc6a938f8ad3d0900423851cc00b

SHA512
ebc1a8d4aae9d9cc3dfe66a2f0c41bbdcef88d2e037b5c5443b6bfa5a4c3f5ece24f4a8a4d129bc990ea36c680edf5b5a47840b32ba378c5c983626a2fd94df7

Download Submit
memory/564-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/564-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/716-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-79-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1328-342-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1328-334-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1340-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1340-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1640-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-351-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2092-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2092-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2176-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2176-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2256-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2428-352-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2428-361-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2828-369-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2828-357-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2832-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2832-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3628-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3640-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3640-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3712-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3852-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3852-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3872-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3872-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4056-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4056-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4696-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4696-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4768-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4768-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4776-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4776-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4836-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4848-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4848-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4928-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5068-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5068-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download