3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e

Analysis

max time kernel
150s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
Size

111KB
MD5

ef019e8914bd613e0f4839e5b7c848d1
SHA1

cbe8bbf68529c05f1c6e719ac472f2c066e10038
SHA256

3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
SHA512

0caea7168b1a22ed31a007e5992d33a7ed6bccbef0ba2745e462c98b9faefef74458d84a5716789deca4e87b8fd8271134a4af76cfed956d2c3c32044b15073e
SSDEEP

1536:TYDrUowZUcK/rNfK8vtlTsYJjzZ9LCKJqByJx3RDPiMrVvsa1TrWzoX+KcqpHPXr:EkycMiotJTJDLRdJxLpWzoX9pHD1oX

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	uWoQEYok.exe

Executes dropped EXE 2 IoCs

pid	Process
3324	MKQgQcUM.exe
2912	uWoQEYok.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKQgQcUM.exe = "C:\\Users\\Admin\\xksEcwIU\\MKQgQcUM.exe"	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uWoQEYok.exe = "C:\\ProgramData\\hOUcYIwQ\\uWoQEYok.exe"	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKQgQcUM.exe = "C:\\Users\\Admin\\xksEcwIU\\MKQgQcUM.exe"	MKQgQcUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uWoQEYok.exe = "C:\\ProgramData\\hOUcYIwQ\\uWoQEYok.exe"	uWoQEYok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pskoUskk.exe = "C:\\Users\\Admin\\uKMQUQso\\pskoUskk.exe"	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hqMUEYEw.exe = "C:\\ProgramData\\PuEIoIcQ\\hqMUEYEw.exe"	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	uWoQEYok.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	uWoQEYok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3304	932	WerFault.exe	122
2748	964	WerFault.exe	124

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4032	reg.exe
5752	reg.exe
3412	reg.exe
5812	reg.exe
4388	Process not Found
216	reg.exe
6120	reg.exe
3304	reg.exe
5220	reg.exe
5432	reg.exe
5152	reg.exe
5852	reg.exe
3408	reg.exe
3972	reg.exe
5836	reg.exe
1580	reg.exe
3404	reg.exe
2772	reg.exe
5252	reg.exe
3040	reg.exe
5640	reg.exe
3836	reg.exe
2248	reg.exe
464	reg.exe
6092	reg.exe
5252	reg.exe
5676	reg.exe
5092	reg.exe
5848	reg.exe
3548	reg.exe
3604	reg.exe
2828	reg.exe
5272	reg.exe
2744	reg.exe
2276	reg.exe
5532	Process not Found
2972	reg.exe
3676	reg.exe
244	reg.exe
5700	reg.exe
5636	Process not Found
4616	reg.exe
5676	reg.exe
3276	reg.exe
2304	reg.exe
5960	reg.exe
2248	reg.exe
3676	reg.exe
5312	Process not Found
876	reg.exe
884	reg.exe
5840	reg.exe
3764	reg.exe
6036	reg.exe
5268	reg.exe
4836	reg.exe
4888	reg.exe
1776	reg.exe
5180	reg.exe
964	reg.exe
5720	reg.exe
4416	reg.exe
5332	reg.exe
3888	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1172	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1172	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1172	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1172	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3400	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3400	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3400	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3400	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3600	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3600	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3600	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
3600	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1956	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1956	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1956	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1956	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2276	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2276	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2276	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2276	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2852	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2852	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2852	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2852	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1804	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1804	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1804	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1804	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1624	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1624	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1624	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1624	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2848	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2848	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2848	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2848	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1668	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1668	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1668	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1668	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1756	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1756	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1756	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1756	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1520	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1520	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1520	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
1520	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2248	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2248	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2248	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
2248	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2912	uWoQEYok.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe
2912	uWoQEYok.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3324	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	94
PID 640 wrote to memory of 3324	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	94
PID 640 wrote to memory of 3324	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	94
PID 640 wrote to memory of 2912	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	95
PID 640 wrote to memory of 2912	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	95
PID 640 wrote to memory of 2912	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	95
PID 640 wrote to memory of 3036	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	96
PID 640 wrote to memory of 3036	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	96
PID 640 wrote to memory of 3036	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	96
PID 640 wrote to memory of 1756	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	98
PID 640 wrote to memory of 1756	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	98
PID 640 wrote to memory of 1756	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	98
PID 640 wrote to memory of 3588	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	99
PID 640 wrote to memory of 3588	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	99
PID 640 wrote to memory of 3588	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	99
PID 640 wrote to memory of 4504	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	100
PID 640 wrote to memory of 4504	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	100
PID 640 wrote to memory of 4504	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	100
PID 640 wrote to memory of 924	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	101
PID 640 wrote to memory of 924	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	101
PID 640 wrote to memory of 924	640	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	101
PID 3036 wrote to memory of 2212	3036	cmd.exe	106
PID 3036 wrote to memory of 2212	3036	cmd.exe	106
PID 3036 wrote to memory of 2212	3036	cmd.exe	106
PID 924 wrote to memory of 3116	924	cmd.exe	107
PID 924 wrote to memory of 3116	924	cmd.exe	107
PID 924 wrote to memory of 3116	924	cmd.exe	107
PID 2212 wrote to memory of 1808	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	109
PID 2212 wrote to memory of 1808	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	109
PID 2212 wrote to memory of 1808	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	109
PID 2212 wrote to memory of 3888	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	111
PID 2212 wrote to memory of 3888	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	111
PID 2212 wrote to memory of 3888	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	111
PID 2212 wrote to memory of 2248	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	112
PID 2212 wrote to memory of 2248	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	112
PID 2212 wrote to memory of 2248	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	112
PID 2212 wrote to memory of 1336	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	113
PID 2212 wrote to memory of 1336	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	113
PID 2212 wrote to memory of 1336	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	113
PID 2212 wrote to memory of 1596	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	114
PID 2212 wrote to memory of 1596	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	114
PID 2212 wrote to memory of 1596	2212	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	114
PID 1808 wrote to memory of 3064	1808	cmd.exe	119
PID 1808 wrote to memory of 3064	1808	cmd.exe	119
PID 1808 wrote to memory of 3064	1808	cmd.exe	119
PID 1596 wrote to memory of 4452	1596	cmd.exe	120
PID 1596 wrote to memory of 4452	1596	cmd.exe	120
PID 1596 wrote to memory of 4452	1596	cmd.exe	120
PID 1612 wrote to memory of 4432	1612	cmd.exe	165
PID 1612 wrote to memory of 4432	1612	cmd.exe	165
PID 1612 wrote to memory of 4432	1612	cmd.exe	165
PID 4608 wrote to memory of 2276	4608	cmd.exe	191
PID 4608 wrote to memory of 2276	4608	cmd.exe	191
PID 4608 wrote to memory of 2276	4608	cmd.exe	191
PID 4432 wrote to memory of 3004	4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	186
PID 4432 wrote to memory of 3004	4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	186
PID 4432 wrote to memory of 3004	4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	186
PID 3004 wrote to memory of 1172	3004	cmd.exe	143
PID 3004 wrote to memory of 1172	3004	cmd.exe	143
PID 3004 wrote to memory of 1172	3004	cmd.exe	143
PID 4432 wrote to memory of 2036	4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	144
PID 4432 wrote to memory of 2036	4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	144
PID 4432 wrote to memory of 2036	4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	144
PID 4432 wrote to memory of 1604	4432	3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe	145

C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
"C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\xksEcwIU\MKQgQcUM.exe
  "C:\Users\Admin\xksEcwIU\MKQgQcUM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3324
- C:\ProgramData\hOUcYIwQ\uWoQEYok.exe
  "C:\ProgramData\hOUcYIwQ\uWoQEYok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
    C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        5⤵
        Adds Run key to start application
        
        PID:3064
      - C:\Users\Admin\uKMQUQso\pskoUskk.exe
        
        "C:\Users\Admin\uKMQUQso\pskoUskk.exe"
        6⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 224
        7⤵
        Program crash
        
        PID:3304
      - C:\ProgramData\PuEIoIcQ\hqMUEYEw.exe
        
        "C:\ProgramData\PuEIoIcQ\hqMUEYEw.exe"
        6⤵
        
        PID:964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 224
        7⤵
        Program crash
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        10⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        12⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        14⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        16⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        18⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        20⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        22⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        24⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        26⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        28⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        30⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        32⤵
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        34⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        35⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        36⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        37⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        38⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        39⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        40⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        41⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        42⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        43⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        44⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        45⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        46⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        47⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        48⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        49⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        50⤵
        
        PID:3836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        51⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        52⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        53⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        54⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        55⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        56⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        57⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        58⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        59⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        60⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        61⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        62⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        63⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        64⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        65⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        66⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        67⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        68⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        69⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        70⤵
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        71⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        72⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        73⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        74⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        75⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        76⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        77⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        78⤵
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        79⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        80⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        81⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        82⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        83⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        84⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        85⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        86⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        87⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        88⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        89⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        90⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        91⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        92⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        93⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        94⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        95⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        96⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        97⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        98⤵
        
        PID:5792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        99⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        100⤵
        
        PID:5268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        101⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        102⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        103⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        104⤵
        
        PID:5524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        105⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        106⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        107⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        108⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        109⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        110⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        111⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        112⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        113⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        114⤵
        
        PID:5124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        115⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        116⤵
        
        PID:5360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        117⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        118⤵
        
        PID:5276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        119⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        120⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        121⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        122⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        123⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        124⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        125⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        126⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        127⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        128⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        129⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        130⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        131⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        132⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        133⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        134⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        135⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        136⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        137⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        138⤵
        
        PID:5276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        139⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        140⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        141⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        142⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        143⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        144⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        145⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        146⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        147⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        148⤵
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        149⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        150⤵
        
        PID:5804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        151⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        152⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        153⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        154⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        155⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        156⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        157⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        158⤵
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        159⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        160⤵
        
        PID:1756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        161⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        162⤵
        
        PID:5216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        163⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        164⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        165⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        166⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        167⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        168⤵
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        169⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        170⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        171⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        172⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        173⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        174⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        175⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        176⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        177⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        178⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        179⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        180⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        181⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        182⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        183⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        184⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        185⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        186⤵
        
        PID:5660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        187⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        188⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        189⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        190⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        191⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        192⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        193⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        194⤵
        
        PID:5976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        195⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        196⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        197⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        198⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        199⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        200⤵
        
        PID:6072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        201⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        202⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        203⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        204⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        205⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        206⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        207⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        208⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        209⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        210⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        211⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        212⤵
        
        PID:5572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        213⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        214⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        215⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        216⤵
        
        PID:5888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        217⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        218⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        219⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        220⤵
        
        PID:6008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        221⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        222⤵
        
        PID:6084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        223⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        224⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        225⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        226⤵
        
        PID:5976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        227⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        228⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        229⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        230⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        231⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        232⤵
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        233⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        234⤵
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        235⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        236⤵
        
        PID:5836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        237⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        238⤵
        
        PID:5604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        239⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        240⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        241⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        242⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        243⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        244⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe
        
        C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e
        245⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e"
        246⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:6140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umEwAYIA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        246⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:5888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scgsYgEg.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        244⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:5592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYEgYwQU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        242⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcQQEUIc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        240⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAcUoMgY.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        238⤵
        
        PID:892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIAMEoYU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        236⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:6076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsMYscEM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        234⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:5280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyMwYIko.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        232⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:5156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKwcwcUI.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        230⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:5444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQYggAMM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        228⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMcMkwkk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        226⤵
        
        PID:1120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:5688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies registry key
        
        PID:5752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voYUoscc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        224⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:5692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gekwoIoM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        222⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        Modifies registry key
        
        PID:5268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMsEoEMo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        220⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies registry key
        
        PID:6036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zegAAIos.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        218⤵
        
        PID:5140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heIMQkYM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        216⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies registry key
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKswwsoA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        214⤵
        
        PID:5252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSUIgEIs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        212⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEgsAAAo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        210⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:5640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoUIIQMA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        208⤵
        
        PID:6052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:5768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VockAgos.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        206⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYEMYkwM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        204⤵
        
        PID:5944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:5156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCkggAoE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        202⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:5280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HysUUkUw.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        200⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSsMUIgk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        198⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKMkgsMI.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        196⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQQEUwoA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        194⤵
        
        PID:5472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:5948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAscocUs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        192⤵
        
        PID:5324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqEQIoAU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        190⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:5540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkkkIIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        188⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CucoUgYA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        186⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCQoUAEc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        184⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKAkQQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        182⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:5240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUMEEoow.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        180⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaoYIokM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        178⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOskkcoE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        176⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWoQMAkA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        174⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWUoccgM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        172⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKEIoYAs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        170⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEoQMEok.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        168⤵
        
        PID:6064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMQswws.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        166⤵
        
        PID:5744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWUIAIkk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        164⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKokowAk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        162⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsAYsUYw.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        160⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YagIYsMk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        158⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:6092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:5812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WksQUEcs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        156⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:5756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcEAAUcs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        154⤵
        
        PID:5224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pusQcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        152⤵
        
        PID:5700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:5960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccEckoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        150⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUoQIIIs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        148⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies registry key
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkQEQQQk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        146⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FucYAQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        144⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmgIQksE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        142⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:5848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYEwssUk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        140⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIcQAMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        138⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGQQgIkE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        136⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:5892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEMkgIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        134⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWQswUAo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        132⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:5220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKwIYcYE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        130⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYQsAYcU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        128⤵
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgsswQIo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        126⤵
        
        PID:6044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaskUIcE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        124⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SawQMYcI.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        122⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywMYAQg.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        120⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGswoAUo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        118⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGIscQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        116⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwgAEAUA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        114⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:5900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LigIMkwU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        112⤵
        
        PID:5160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgEEkcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        110⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:5772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmEYkcMA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        108⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgcsgoI.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        106⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqcksEMc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        104⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEIQQsMc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        102⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWIEcAoo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        100⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:5204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueMQwAgU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        98⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwkYsQAY.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        96⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEQYcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        94⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCYckYQE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        92⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwwMIEUE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        90⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zesEkogA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        88⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:6112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMkQgEoE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        86⤵
        
        PID:6136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYMsAEEc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        84⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COUkkQIk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        82⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUsIsQMA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        80⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oucQooIs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        78⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwYggMo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        76⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vikcEUsw.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        74⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOQEkYEE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        72⤵
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQscMIEc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        70⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWUsQkwo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        68⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuIIgMgE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        66⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggcAwcEs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        64⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmswgoEk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        62⤵
        
        PID:1272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuYYQYAc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        60⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwIYsoMU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        58⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSoIYkwY.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        56⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkcswgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        54⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQIQoAEc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        52⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGoIEgMo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        50⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mekoowcs.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        48⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWQMUIsA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        46⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYIwEUUA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        44⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeEUkcYM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        42⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beMkUwsI.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        40⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcgskMUM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        38⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esMIQMoE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        36⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgwYowMU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        34⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCogcwEw.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        32⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiIwwkUo.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        30⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOYcYkwI.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        28⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGQowUAY.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        26⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmAYEckk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        24⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyUIEcgk.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        22⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oycMEYcA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        20⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwYoMIYU.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        18⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmMMIEQE.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        16⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocMMMYIA.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        14⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgYAwMsc.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        12⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCEYYcMY.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        10⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYMUIEwM.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1264
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4380
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uokcMUUw.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSkMUsww.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4452
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3588
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yggokwkY.bat" "C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 964 -ip 964
1⤵
PID:576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 932 -ip 932
1⤵
PID:1472

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 591a1f12944898441ad3922e70b473e7 fWtZWnKjtUWQDyqQ2znRXQ.0.1.0.0.0
1⤵
PID:552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3728

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2764

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv fWtZWnKjtUWQDyqQ2znRXQ.0.2
1⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
1⤵
PID:5328

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
743KB

MD5
1c21edf93a369a9997aadee445574cd3

SHA1
9a1bced601e388d1f768b30b2b3ae34c087d8b04

SHA256
8a1534e2e2bac84b9905b9eabd9d07409a420f55e0a22b146ce2a53d87de485b

SHA512
0abd06a536d6e54f29b32865c5a59439e88536c70c3bc49ed09fb9ba182e085aac110b7e903979afef905f07fdf89c91736521ca7669dd449b42b4550f40916a

Download Submit
C:\ProgramData\hOUcYIwQ\uWoQEYok.exe

Filesize
110KB

MD5
6621fdc9e34131e5e03e2cff714dd49e

SHA1
deb5f2f423b0909d753e4fc653a034673222ad41

SHA256
df2ce8c57c032bca003c23cb8d24e9d5151103a9814dc98e1ae259195d231cb6

SHA512
70d346f8bd8e22115ada9ce3841a52f7d96a7b510bd7ea3661a0cd4c79afd8c498992c8590eb3df76abf1a549d8f5a430cd77d3a783801c0828773e302c5ea99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
113KB

MD5
819cf329c5a601b98bec2580f0ee8f37

SHA1
7aaa61a3c2443656d01068643eac7d62b4b90eb7

SHA256
0bb0eb0d3fb5599640246284288c93f8580a85a146010b2fdc2b6019af3a4ac1

SHA512
599c1c1731cde5fc7aea54dbb383a4b0d38061fb597b96fceb2b7ecbdf6b2d6060c77bdb5a69170db460a8b2944d92d618a708fe1a8eb0a87397b22319f7109d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
484KB

MD5
bdb04be4577e5d687097bde300ce343f

SHA1
bcf4488a23b2de6ee8dbdbedcfe362535b6d7f26

SHA256
4da38b5835c51161f5299061cd6c6eb30ed6874c98b489a30b55af704f866d92

SHA512
bbc6857dcc9f0a89f365400ec34c73f626a379273eabdf002af51c6014f73561259d3c53b6956fcfa8eb22987699c8bb62be734bfcf4b5568685fec4357af381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
118KB

MD5
75e8168bf3287e86110cbb7203e5a2b2

SHA1
f7410ef7fb1a96740bcdba70b3d3078dbfab9312

SHA256
952d7e865f98b03e2407e227158a913f271648fb1f8fdd0bb414c787294d6842

SHA512
71580ebd8ef5134dcd6d4a2504a4ad6460a3d17a0da2686dff714864508a454b47b86e62c2d5e49c9a5a96af41bc7fc6cd6eeb1cf9e5781c9cac06fdbbb52ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
120KB

MD5
89fe87931a92705b43031be37b04d4cc

SHA1
1448c7e761758b069ea921c75d2e657d18246aa9

SHA256
8364902c5a6e943a8ec0532732720ce7762823c3830940f1e4cc6bbfce12297c

SHA512
dcb463387c6f2e1e740ed8b47ff80ce64931bf46a0bc502f458da4b6638d8cdb8674f96ff98fa6376099642b54b4d9ea066419e051c362f18f21c63c48052ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aebcdd50b20739ee3298a4401641da74c6e00bfb0eaf84c93f9e4e9e5e8fc3e

Filesize
120B

MD5
56c144caa9a420c26a47106a53c9d530

SHA1
bd3c46df953ab712c847d12d03bc3f6bac4fa0b3

SHA256
7c98d566a13fd599d1c11a375f387fef69b6c595c4f18c5d88c188a860be0e55

SHA512
d56811661e3bdaed08281deedc289fdcf91c5df62f759c4dd5dbc28ad37f0adff1d5b2c8ebb99afdfe40f6e417781757a7ef8a08123075fff4367caa5c223708

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIgw.exe

Filesize
1.7MB

MD5
eefd08d626e610a0b4312e730e83bee3

SHA1
c4410ee9ce23e24137410e694470dacfde9f90d6

SHA256
8c653fd368779ebeb5ff57dae2553a3b4caefe4ac623418a9ed738f5c1570039

SHA512
c4d9fe62d135755780ced7d3e8610d3cfb0bf57007620d1f5d0fa13af23c8e5b97624a9d6836a4f9c3866aa711a8c6f8a067803542dd384945ca199816a47c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoEc.exe

Filesize
620KB

MD5
eeca3806a8c76caf14ab424feee9dddb

SHA1
57f1321c628fda9c29ab3f9dc86472cb3442a9b0

SHA256
192820276e58395baec96f08e4850369d195b0b0a39c4c816eb9a9cb650d5143

SHA512
cf603fa93048fb07d6ccb10df65a2b30af34d07c1eab41078b743ca7aa9a2d21fd7e3328c28793fd230bc357481b90d80ecefac7fa8f079ada654b11b5b28aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMYg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsYE.exe

Filesize
153KB

MD5
746ad22e5dcd7638909022b1dc30d9f2

SHA1
9c3a36af9fbad125da61fd077df2595056fc61a5

SHA256
3e805688b9cedd710b9e95be9eb68f79e1858dda806cd14bcb1671519f96101f

SHA512
c44055e9ef93038c86a78dd02e14ab9190af41faed3de65988eb107130d0e8d1464762efb5292fc1faf044e1b64fb8a5e46e304c124ca6127bca4431eb8e51ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAcy.exe

Filesize
722KB

MD5
bd34e8b623c37c0fe44d6e2f802afeb0

SHA1
ba8540906cf498897cd3e2cae235523036758faf

SHA256
62dd0ac2c27a6f3b42a141e4e92c0015877966282b650b506f0a3156c292e6d9

SHA512
f6105b5641657d1cbabf0dfee1b2deb30b808afa7efbe5c0bb421942130a463b96b8d5897ac317be572d8bfef500656da77eb5fb95eaadaab3bd1493b972bfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQQg.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcsI.exe

Filesize
111KB

MD5
86980d1e5afed3b0f97cb8ed0a2db492

SHA1
fa1227880496d351735bf072b321da99eb62a47a

SHA256
98bfb3a90842b56d7b5471788c0f6e3ffd4ff697b5d3c4ac03cdee089e210739

SHA512
7a866a7517552fd9d1b7e3094b9ed3325bb406a3bf17aa8eed61542eb3dbdb8bf0382927b37605ccc40ef1b1f02367cd4ced27fa30340de15fac709382c652e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekwi.exe

Filesize
112KB

MD5
6cc501f1c2e5941cdd9135ce905b2282

SHA1
7318a62c2568dc31286707320799ce6491c0498c

SHA256
5b0c6c68aef69f6d43633671932797b8d549046f33398fb33a57ad5baa14ed1b

SHA512
ef48916758cd4b43eab92a28a667dd8880de424974d242c0563fa9b080831d39292b828fe73837fab5cd4f7ef447c5c8304aa6504d6f1b714d8f63b14eba37f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsQY.exe

Filesize
112KB

MD5
6a62943e8932415299a2c587ab5dabbe

SHA1
20fa27e66418ebef1323d57285493c00b4b92ca5

SHA256
23ec8394f9ea213c94b984ade0a6e7a8c8e8d871df9e3dc74283ec69ae9ea79d

SHA512
2c0b544b25131abd8e6ab34c63912e76bfc215a0d13f8ec36c3af1dd61e230239c7c711034e0da90c8fee236057df2cac36cf687d0e49773233db300a603bee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fsgy.exe

Filesize
150KB

MD5
58a4c513c98310abc7eecbd585954174

SHA1
2cf007e2389dd297dc12fddf3226cdb78ddd2036

SHA256
2196e44bd88b5a9e9bd48a640adb3e84f0eb3432c222b702f247726ad55a2d39

SHA512
4f4488f9f8a7e10903731fcf3e5fe6e61ec0194217f55a732ee023e9ea6534d599f8a220ad8e309435e3f104e464317fee129794254e9da06a3b3ad76b93d1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMg.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoEi.exe

Filesize
138KB

MD5
8a350c338c3deb55c38beaf74615288c

SHA1
4f0df68c6e4c0fe9577e5832991693d748ef7ecc

SHA256
2e0c037f69833949af95fc745e896f2efbb5fce1bf778f8fecff52c2cc5c4171

SHA512
2a9fac5988a440b1fb445c08ca58942804842ca81016c9cc9db13dd81abd3dd3cfb82a82177a8ccd2c249472d686c2f856285d13698a1eb9640ba56d636e7624

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYoc.exe

Filesize
722KB

MD5
dcd220f994a3b05abc9333fc7e97da6e

SHA1
20178c6026a386ed1a00ce2470bcdc863bfd3261

SHA256
377f6c7943bc03a88edef0b2d6e9f83be087f1195db8397f2f499f30666787cc

SHA512
ab31a9ec77403a5902407b26a45735f8fa7da7490dae1890818380a9239c9ed3329919a10f39e05fbd3555735c5db18608350f8eb96e19b6a89234b572f8b229

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYwg.exe

Filesize
64KB

MD5
7f65c30903ab3e6cf2db72790704ad93

SHA1
ccec744ea83adf128c3bba982f2e0dc347b15f9b

SHA256
6b955bd2f1809a4901c00d37772b6db294999ad8b6442ac46b5e9c65f040b6f7

SHA512
b942b83ff04e3dc2fb75cacad4f396cc2a513e12e83d10a1989de0b49132d1de370b161210b891596ababa420d74a200bc35d4c36b3b89181ace477bae0a471e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYUo.exe

Filesize
111KB

MD5
6365b2a7f0fbbfb7f1a8aec332ed42f0

SHA1
f8c0d58621fc5b14add3b5d087947e7f81230efc

SHA256
c1cd503650d4b16ff102f27cdc61e51d99e648414426b3ff3bd929764605c427

SHA512
128681480d7e4ae2f8fd2e4125ae8c8b5cb506e7f5a041dd528a95060a984318af18189b572df8e117b9e46ae2cd763abf79fee8614e5c974b8ec345b1d0555f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAoe.exe

Filesize
68KB

MD5
4f23924f8b170ee6c0942ae4d5569e09

SHA1
ec2bf734baaea8fa9c0bd3edc4a71c12323b1ac0

SHA256
834d698f817172ab4a5b4adcac0c70d57d9b8173f482980ec0d3aaab0a976b7b

SHA512
5938e94da4fffabd889e655f8f42802930e1e2deec03534856e9eff64b098399a527ec2848eaa6893f7b3d6f235f805bf7234f84bff9e143da2c44a96a4749d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMco.exe

Filesize
112KB

MD5
a95a3c6c2283f3508bb2f93fdcc760f1

SHA1
7b1116e57cf8ff68b24aec07c7effaeb5136d820

SHA256
4788792ccbc75fa415a569c15085815dd6a3618f2028b4091efd8a4a7c5c54f6

SHA512
a4bbe531a6b62bae9e6f456e1964018c6f7f948b44497b840200b08378e51f264b92b54313a227fd227bab2e0a7afb84169b54b4a88f3fa9b3d819ef286bacd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYEu.exe

Filesize
147KB

MD5
5378d6bfa158dce3c698f1829135e02f

SHA1
7248f5e7252360b8b9d88bf52dc049588d02f23a

SHA256
42efd8caa454942da8174cba18d035ce6408a6d5c52fc142a883a06257109d8c

SHA512
965f0c0be558ea476255657ebdb800ad69d4582507d1338b4584f91ebc2d1c022e8897542474d380621d5681da0624bcfd8e18ef63820db73c98aaafc17e8990

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYQq.exe

Filesize
118KB

MD5
f46d8ae02d9a3a6b85e0806a2f257a52

SHA1
c8e92861d22f82b37b51e95c48be2ce5873a564b

SHA256
c2be790ab39669484d1181f4641ce379b3e31cded1643b28176cc1984895e5d8

SHA512
2f6f7c07ff68de417df80d41de8aa8275111d090c4aa7cb6768b946cfdeccb4e48d3ad951f3552a5e3d323ebfd1538fc250e4b9cc0868d0d31d869987f94b913

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkIA.exe

Filesize
111KB

MD5
792e1ab725bf884f4c00602245b8ac2e

SHA1
a34a88dfc716df1cfe32a5ac80d20e382a53fb64

SHA256
1158542a6e0891b7c2cbf7442668fd366e033889dce615b3827d64123387586e

SHA512
a2fbf228456880dc87de3ec7b64f59d1e379679ddbcc359d11484f1b6ea3055468dcab98fffb2970474f27a1ded2014db0271441869460126439b923917fa90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkUA.exe

Filesize
567KB

MD5
35d779dfb163b190476efd2668b1beba

SHA1
5bbcd77e46790524aeb80da14bcd7b7b8d0d96a2

SHA256
36368642f63fb54074d5951936e154b53894a29c0ff7c83dd8a542ef54421c48

SHA512
21546f9ce72cf4a6ee1589188394d8483eed683f7c1e6d692aff6d01396839a11991e79761d9fec6d67f74720e7b26dd839802e3aa28668dcfe2e6174850341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkwO.exe

Filesize
110KB

MD5
3aaaef4c5c770a3434b7913b0ee52d1d

SHA1
41440285be57f8962f277d41b5756dc0eb9667e5

SHA256
12d2851f5f4cc1a231cfbb6a799018349996b30eaeee114a2f61595adcd983b6

SHA512
bb2ff96eca62c91be40b24d7727102eead8627f6b982b5ccd3076657e72f56b2d2a38be00fb9d76dd713dfb2e478b50c32e1530a9dd28d581fde4dfa6d6577f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQQu.exe

Filesize
111KB

MD5
a5996e606e774a884743d2c85853a58b

SHA1
80b83576d893bc3e7f853ef77642e1b371060487

SHA256
670081689a6ea2430895f82115cc710dbba668471b4a6368292c2b497a990a5a

SHA512
99c3d06d067e41dce56d4c062f64403ad60eb5e9106592e564fe5ab4e1f7322dfb98f77553de9517bf27687defe3e36d8fe6f7763207bafb0584dca6c8677371

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwYc.exe

Filesize
111KB

MD5
34bd770786ef09b1e0f90a5e1fcc8b45

SHA1
f1fe824af695c5e44fca88f730b42f894a6bf4f1

SHA256
4f31ce7a87e2dbcf2e4c6d2b387c10d77013ea6cfd430a7bc9a874a32f0b0df3

SHA512
e1612510bd359668b3dabcba0c638ecc0937231d3b34ab19a3f3cb2aeea7c166e692c42a9b62e88524951ebcac23becff2a4c9377297409c34764d167fee3bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcgo.exe

Filesize
500KB

MD5
990b8794b34d668ab0355a99426d5e17

SHA1
19ef3cd0395065934f60136f80513f8fc132af25

SHA256
884d2ce3e0d057082c8cc4f420d14e0cf4e9e2f91a53105343ab3abb65d862bc

SHA512
9d7a94b0d507d2f9c9619f095124439761ede035a6545c5dff455fa53fa4a879651d9927babcb078290a51afe1a31fe9f8331a1536891e58a2e81e6dd566534b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgEM.exe

Filesize
109KB

MD5
8e52850df2a4e05867b4984fd70ab1ed

SHA1
f7662e8cefbe17759b81945070cb8198f7f392bf

SHA256
136988fe60e7c2262afeebce956b8a7aef90127ed821197590c142c9714cd3d8

SHA512
bdb89afda64802444b9b8a4eeb3463f299dfbeef4f04583f8dbe1654abee678307e0046392b3e3bd9aa0fc837392e4f4ccbc60f4784a140a17a2cacb9f7f4712

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAAe.exe

Filesize
116KB

MD5
dfccbc3a09e9b4bf8e06f33d507cdfdd

SHA1
8f9ee0b67c91d5f217bb32ad5b40527e39f9d482

SHA256
5668ca6debe3a370f8246fecf468ef870b5227f47db6e0803009d2a2e866a416

SHA512
3aec9408e27944212e1844f1f6ef1aa28880db7d074bf5fb5bfa1ab7827fbd9e42aebcdff56bd0dfc022811e65a6f3c258eeea5fb5151f6414c07ada9f4150d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIcc.exe

Filesize
114KB

MD5
d7482093736b1a3d207fc057a0edc292

SHA1
301f8ad1c76c178406bd9c8ac500ce060f489c50

SHA256
d634a23e92dab2946d63bdf321ef8ab1ad6eda4fc5cc9b5b0176c4b3c0460fd7

SHA512
a343aed667a47a044269c6a75f3c4c6672de8db6f589b8aae79a09bb0702aa3470b59691c71b9479495cb302af9db7c032b80f70fe41e942f24a06704194ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIwI.exe

Filesize
110KB

MD5
96057f5c4adf334303a724a34c4d6efe

SHA1
a38ff8dfb4dbda6ed05b3735e82e37c5d5ff6db9

SHA256
afc0c0227432d51b95d93e48d76c716e845c7e2e893c106c176c117aa1acf4a0

SHA512
d63d9cfe1be6f0e1e73eadd728bceea13239be0163b9bc03df75ee1d36fc6ab3c7b5c85e29e24c49258f6999ee101003a3c3bfe37246355da507437442df6027

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUEq.exe

Filesize
111KB

MD5
84c6926ab2622257681ffed7c1db238a

SHA1
8d8c74ad54ff1987568736d2226c4b41d2bf140c

SHA256
8d29fe9f0e5c269cd5601d8295683b2ed36b6956d80e6c1e55ac12969a631543

SHA512
cad7454733ed55ce42fba52d95f9a93cadc7989e3a83e43bec007db3e9221ad0aaad1fe305dde32280354e09f80733f865f58277354d1cf08081903e1c347b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUsa.exe

Filesize
111KB

MD5
d904f6e897781ee9f531d0f7d13d41ba

SHA1
4883c73bd3d0afed0edf174c8f30583d5df5cab4

SHA256
113d68ea7902934cb01b726fe5263771821a9e49a15d780acca4eb19d58a5a5e

SHA512
d5243c9e36c60d233ba95b38d4d78ed07954fdaf3d8842f314878219e8cd1d00aa19adaccec8d79ea48f06984d01361acdb332a81d6792780f1225554d67ada6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQgq.exe

Filesize
134KB

MD5
8f829e4efc28176988ca8f43218a57ec

SHA1
531707eac1efd8fe33ad4f34f3f7f356ff4749ee

SHA256
51426b9a79c52fa0b2a799bc192f0233c9214eb70265f0d6dd628ef18d1dd450

SHA512
128b7972d53cee4ff9c8801d4d6c3d8ef90408b49c8ed6162b9bb00310c2b760c9439644cca9a491286a02cad96793ab2ad553206ac45bd90c240ebb0f30b91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pgka.exe

Filesize
112KB

MD5
c7e0621a4495f151041bbb1a14b4ee56

SHA1
e3ac6a023686872e6342bc90230be0073ac83af1

SHA256
22ce94c86197a64579da2660b394b7fb6b3b4e309f5b4ee2212271e0fee79bc9

SHA512
86fc3cdbad5c398080facabab04935aa7abc451dc2c9286fd67e0ab962299a81528e36266b695afb1a283fc3c065e446abfa1339a8fb9c887e4a6657a50ffcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PssO.exe

Filesize
117KB

MD5
30c3d187971e74b63bc3a25a7c109946

SHA1
2bc6d0dfc397b74f9e7be97a4c00e5f19a7b1472

SHA256
ec8992b75aec5b39a5d49549924d8503ba789c19e6a7446b6d97660aa4db071b

SHA512
2ea1edb044d182a953fad5fbf327f0900c2088526ca7e33d58a057f92061e22c92e9c1c29bc7cb5ee30f02e5e7ac2ad2094c5678916c73602bed7f797f3eb216

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcEy.exe

Filesize
139KB

MD5
8aa7e588d282acc006be8d0040594e4e

SHA1
3ae7c7dc7ca9ac7417df72c696a89a6361e6dd8d

SHA256
d48d408baec7e7317ef73c5e7d18c254c5adae6c9111fa84abef551a4a33429d

SHA512
406e064892826303052e164ccacda07a151e7b1100813b2a28805bcc27836c89a82e051cae22fa7b5eee2ab394cfca9bedc79d5b4ee6e41a0e03a5ad74b6d4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoQi.exe

Filesize
110KB

MD5
3001586b8f061c5cec23d72c995cd244

SHA1
fa2dc1d0e725bda686e21eb8887b50a7d86c7891

SHA256
e24dd1ecfa59d32b2634fc22ca13af4a51ee43586e932640d909d8f9bbd86c29

SHA512
215a462761dc1284fe4ff15186a638940ba67c0539533041b79a1113e6592ac949a9bcc5a7933c43549643c33fa81ac24cf138ffb4ce2700989a7e3a9055423e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAsi.exe

Filesize
111KB

MD5
746d0bb43f88eea201775c24779e2dc2

SHA1
d46c782f268fb1fa846072981be286ecf64b16ca

SHA256
b19cef1b2d1dcb8586066fe1910f523075de5d9c97fb39070b2cb89987242058

SHA512
1158abeea421c47ce155bd6ee122bb77b88ab6f649b9f18f5e05f9f8503b834ced5878a7e1249edb395383bb4cde1b4eff0c03615c423126ad306c00148ce1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUoQ.exe

Filesize
698KB

MD5
b71c8af1656ba38d13850d026ae8b373

SHA1
a639502c895145f113e0ecbc36b00e5143f13384

SHA256
66df715b5a438a2292b8153b670de04102017883b6df1becc2874da0ee91275e

SHA512
73af1c4754a4b7342a3b5e83f2243a705df2106c20730dc7fd0af56fe99b96b30364075848211ae4cbf158317096af6f356ddcd6da2161a23eeabe94eea09596

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgwW.exe

Filesize
112KB

MD5
0ec05a4e149a9bfe036d82b8f1ef93d6

SHA1
a98d6c0b934072584f3341676302b15bc3f7ea3f

SHA256
a2e7d72a28ca2abd3da242286663b72ac1fc7bcdd8cf602113a4e328514fd36d

SHA512
e0b29637d17d44a1ec0fb29bf5a5135112b1e4ab7687a1461aeec16b536620af16b226620e4d3bda45c40aa5ba51c1e6b200a3c1a3e03b464089f09863aa58bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkYi.exe

Filesize
115KB

MD5
975b16536ca11439da49830c675541a9

SHA1
fba4420dddf9d1afc4b8c10f3d65d83a237cbceb

SHA256
60448d7fe4f29602c9323ff8757dc8b0a3d654c56a76ada461cf38391d8073d8

SHA512
fe99918ae327d1741725e85708b126288a09a6916a80bc121dea4c08eb6bfb3a80c337c02fc0e44b475d142e19a7fcabf85e8c5a2e247105e937e3254b0b4cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAcW.exe

Filesize
140KB

MD5
32817b13a9d215394601fe50eb26a6f2

SHA1
18ae362dc049b69e0268b89817efadec0a01168e

SHA256
0d1957a3071259006f778e5b264fef7262ede29825e59a85c1ecce4aedbecc13

SHA512
f93545bca3641483ffc5ce55e03b82f2673c54711384a2c1192950c6f456429c51d24e7bb98a4253077586e3b410a25d6391e46842623402e6bae7e5bff18fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TocI.exe

Filesize
119KB

MD5
2f0efeca9089788d81c5c1534f6c6a44

SHA1
83dac763ef7251d793ba52d8b23f19c2e04baa32

SHA256
689860ebf57fd622570041a02652a3b723760045c764ce0b56e9af20dcc72613

SHA512
bca3c365b1f3914872263895c35f739230f42a11834aa4112d6433b8ac236413379a3a25e4c2d59b36dcafd994778cfe05aacfc29de9bccbf115755df4d4b3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQou.exe

Filesize
109KB

MD5
011b84944540e4aeb28a6a9469eedc33

SHA1
c79f44e84a02a37122a256cbb49f7517c9e39b31

SHA256
b4e18ee94694aa79ba65e6e87e53721d7e4c5f792f8c216a25b99a9087d73fbe

SHA512
a2ca1be9f59e2ed439a281466bea693edae3899fac5ff23aa9b27a3e72ff6668599493910e3c74c4262bfda31662f9148433816e8035117a22e43a3c2ec68f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwMM.exe

Filesize
110KB

MD5
a537621f2cc5c2626203645dc7f28d42

SHA1
fc05b43e741d5a1c9f5258317bef31ece0e42de3

SHA256
b04bfc79f3350003b0753faf9b764a169a24ade4b1dc5b5e5235fac19a095c96

SHA512
8823511565083d68b62a2a224bad0430ba38d6b46fed49353ba249d2db625d3e3ec0a6a82e242c2e842bb7363aa45366b03d3d4bd005e79c8a28a7f6da40bfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcca.exe

Filesize
236KB

MD5
5cdeb8b50e6c0d2d3c31496f9359e4de

SHA1
18183c61f0d1f7a72aa9368eb3586076543984d8

SHA256
2db22eca8ac58e2a6efd8f416f59ad4935b309107b7cd4a790d969c25a786bf2

SHA512
9b906534daa4b87330e7d9aeb67adc48c8fb275ad2213be08de387be5b7d88c4298ac629a2409277b3c7be839f9e9577d6e8274caf3f2740888fcf012cd1bfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIsW.exe

Filesize
236KB

MD5
aab432b333f1903b5b26e28093bdf2ef

SHA1
f1a4024e9790d22b350a7a1b04046d78eca4103c

SHA256
fe20599bf95880cf6e4182ebf003423bab1307d2801e3481ce587bcdafc54dbe

SHA512
39d061b0689b7aac685ac2a3914e96ff91bd99195801f4ddc71dfc7aec914d1c1ea2ab991bc123b7e2e3dcfeb47d07a01a81816a66a4824922ab58227717f510

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYQC.exe

Filesize
720KB

MD5
60ec4912b78beb508819793a7e8058af

SHA1
0c78dfdffda72d7f0fb8a57dcaec57ca0546f3de

SHA256
1357abe569bfe3087baa56727683266c49bf1f7a12b179f1bbd62154b8a56e39

SHA512
03c0a224697946ba516a9fb7fb42ae5d1918a5a8b8ab455a18c4f7d25fe0de7ea03b7ff77201cfb31ffebf18e49069fd21c9bf240dd2c3e148ff74a8447a9a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYUm.exe

Filesize
1.2MB

MD5
47c9a3a4e93be8af5fa1fe7d30221f21

SHA1
fef450297543a7a43818df5735583e28b70c5763

SHA256
036be410396b0506ca556c0b7c968e414efd3eba90bf6a9b6b8796bd7c4bf770

SHA512
aa5650a8b27bc6c731cc0a8f1f62f8340b3e8ee5fbc344d9f99ce70a9c64f8b89f20b468a0ec97203c32ffc6b183645705bc35328ebe21210469ecfb553ec7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYgs.exe

Filesize
111KB

MD5
b0f9ef44af5ea6eaae08f928a1eba7b2

SHA1
62461d91ef7fbad8769d969f1515007221bf6915

SHA256
756c3151e64aba48a5b7de80a77657ef70cd31ef8cae6daf9deb8ea3dc26109d

SHA512
61652b6f4a80d25ed5a620badc52b6f285e2e6061e41bea3649cf7e7e592815c22997bf3c4d04384fe96f67f520af47c120d3fa2745178d205ddcb5c33872ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEUo.exe

Filesize
238KB

MD5
514c8169c0402d1b11b0fffabed385f3

SHA1
e75abfa03db0fddf3b14489b41c981c0ce56295c

SHA256
4ededef9027760cf55b688963a8c8d5652956a55553aae146642b11d584cdfe2

SHA512
ae7f3ceac1b3c6daeaab0393b4b9af3bf396998d9aaecb2baaa293992dc922c173bb293b840fcce60bed4989391042d46a86d96bea288b1fbde86fa56485db22

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQge.exe

Filesize
111KB

MD5
a5a5f4f3f0dd2cdb942ef654e22bd1f0

SHA1
276896df3cf7eceac58e462786e7344a864ef8a1

SHA256
d6a3ad7ec85614e01770dc216d7c1bb079a7c5c391fd4c0a4eff2f57b655acf5

SHA512
f8a17a772178ffe5e2b9d6c184f988e5e26fc66dab9d124bb029193ca3b00bc24f64b2479118a750db287df1bcff637535e78dcceb67b8d31c311f44e1d54859

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQwQ.exe

Filesize
113KB

MD5
414fea9d536d1b634a64c7e0f09df8aa

SHA1
0c55605c6fe62de9da9a104a201d722b595db317

SHA256
b4c2e2018e50bb631c6b5db663523adc79fbd362dcef1df2599b7147dcd09115

SHA512
6c1754a04ca1fb682a98636a003291987b813a1e7157a4e8bbdc8b1010b4f3d6e72ac9b71ffbf770f0e82ca77e9584878f690460ef9e1ff37ac0c6379ada6cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYww.exe

Filesize
565KB

MD5
9f6fa899881517fd11dafdc1f244e96a

SHA1
10f20569b4d984cd56b32702bfab9110ee2ecd69

SHA256
0aee27868fc5edb6766a0031d3d39cd49c4464f1552e825878ddd06adbbaba07

SHA512
e902e1022501069cd52a8ac845b79848ece94c30c7941537c95f0baf09c21799501ac80b64400e0962f24d6913c0e9bd273db8a9e9ec5b5439722d344fcb491d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwcS.exe

Filesize
140KB

MD5
24f187c02445ccab0f0b8034e88b9124

SHA1
a6cf7232dc672e9701845bc1a8382e28fd5a3aa8

SHA256
ad052686ed8f507d81e0275d8c427b0a8b03482193a3c7bf410c20ba14e4bc82

SHA512
7ba2922a181cb71f2e9fc4806a4c73872ca012fb6d2f367e9658854f3d5b1ea8f6a445a28c0072934a6bd3585fb15757179367b774dc59f69ac6bffff6d62887

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUIM.exe

Filesize
556KB

MD5
ea56885ec56369f9716eb7292bcdf36f

SHA1
27982fe6b485bb5ca91952684740f099cb8e9cc4

SHA256
efcdbd503da6c8d8929b1a30fc654bac6f5c32a81e1dd70d28d6092f147d9732

SHA512
4439af566beefcb3f6d1429a7ea66991ea7dfeacc1a6121e2c6cb40231fd1b1b1ddacc0d3f7ce5a1c3386a7734fab5a3458c2ea64b828420c7d922e77d990517

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zggs.exe

Filesize
678KB

MD5
3e9debb8c039092477d71439c2a83481

SHA1
e5f084b11e0e5be3ad92bb8e5535708ba8912785

SHA256
ab3d65e64f75eeb952ccced977b92a50bd23ab9f17d836558e00797517a75ee1

SHA512
7a358dfe2d03b4fe0bf4e84795d1ee2a35f4a403abbbfd0d7561df9b5a11f516a5153f602b457d22ca116458ff46030dbb3974c4bfc46eea746c1c0c0ecab34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoko.exe

Filesize
469KB

MD5
9363b967e8bbf3974ec9c9980b008dc9

SHA1
96b7bcc89b93f7faf2d0e7b60064f4eb91224197

SHA256
c1bca484eeeb3bc02e02fd0763b42b8c815ee257fa39f28e2d6fb8ff341ef75e

SHA512
fab994c00903ed768d0b66d91363e11b8661a038aa27d9c90dbe12a3125004da4fada9dfba5ab3a793c843a0cc4edff9aa466b7e7ea195720319064d114083cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUk.exe

Filesize
118KB

MD5
dea0dfbbf89977fe3d8563776e958749

SHA1
84f28c2a103efb8042668fcbb8842b3a370d71b1

SHA256
ab292af135dbcb9f812f49773a4ef9bdb63a49d3f624d11907aecafd5f862513

SHA512
430d585e8a8329630eee81289b4ed3e7a0ab7151fed19701a155c960df6e9e0ebce94b69824db2eb272579303a01246c74f092279b4df6e8ae2d2941645d2c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIMm.exe

Filesize
239KB

MD5
a7c2a5408522986ba22e1bba70412b80

SHA1
f1e5b76d1d3c075ededa5bbbb27daf5559a8b704

SHA256
2feb3cda4ee5f0f3802764728fd46a0205d59d8675d3c212f511aaa6c0f42e31

SHA512
e6ba312f13cd83261400b6b160299420837a562c7e99a084e8fd24f53080888543225fbaa9c69e3c534243942ac3b1fbfb027e2dcf2cd21dff78b5412a9bf33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUoE.exe

Filesize
557KB

MD5
2ab76b888aa59e4cf8d21b9c14e77f7e

SHA1
deda4946454be399e47deec33fbf622489d25ac0

SHA256
0afa424740855bbeac2409d85e4b9da6c9af63acb9f95ac45a591ad91bad6faf

SHA512
b2e590399583666dd5fd40ca7f1377fe4e0ee360847579f1a74c6684fd36df0ed8f869ab544d9add9ac42e1e545124bee30f56db50badab958482956e21c9c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\bswQ.exe

Filesize
564KB

MD5
68a17aca45acf7a8f1875fb8199b8772

SHA1
c1ab31c227d67c87c288abceda2388442c3b1f9d

SHA256
a2098ea04c6ec6e65cb4a26d8b2e9bd0d2fb43c06d29534298f285161697d508

SHA512
1b770779cf526a25c4385c6cd32cc6a526e1cd2c8f0dc83c933275bc44c9be132ce8de235ed361452f13c10ca5b8d3d775a32dc3d80684063eec3df08819f5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwEy.exe

Filesize
112KB

MD5
3e722677dc15668109f91784ccdd810b

SHA1
5fc3a0f222147c9869c094a1971bc1af6ac081ab

SHA256
12f7e385e070739c8f096a9b489b21ce7c501f689283ccb7887504270e2fb5ba

SHA512
0755f26e9f5a783893f8d960955d1405356dfc8d069f003a3e0757f6bb38340bbcf0d0f17921242cd46a3c6a05d0e624e2e502e2dfbd5b785bb26ccd34d975bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQEg.exe

Filesize
570KB

MD5
a5280d97794dd1c18d33ae1670c12c62

SHA1
c4eec95e62e6f0b2987a7f8c026b4dde32d85c3b

SHA256
596421dbcc3d61e30204d9f51d82d109802b9c9015cd5d28353706c4a3f93c09

SHA512
576a515750a2e927cd8cd82a78b6100a2a9a1261f606bfefa54e118acef0ce110cffbb9ad578d960b0d5496cffae2aabae22da63698233df4c4b828cb6a2c0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUoy.exe

Filesize
111KB

MD5
5746fb8713de1d45634d3f3efd3f960c

SHA1
19694efa81358a01973c5792b3f67b4040767e9a

SHA256
92067c66bda59c5e693a5fe2c9a7973022a39fa0d3f1056e07eb992979fe684b

SHA512
dc088836a81f11c20bb52fc181436f68b67bd2e5c8db9fbde4da1b7fab1f89fa6f8badb6f86653a8bf8fabd61eee1a7e1a50592bb2231fb73323512e9e168e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkAq.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkYU.exe

Filesize
891KB

MD5
ddcfe74d0d3a0679691a6709745ebb0f

SHA1
f619e40cc824bacb79b005089ac96b1672072c45

SHA256
f8300f6d2ceaed76c2095cfc7e367c98e8d68a1fe7f51714e78fdfb408fc1aec

SHA512
016ef10d9cc0e346b93577cccd41cf9b169b473ab57faf100b8fa98dd245c26384fb20727de0088825aadbffdd3c707f9efdc228c92786477e24cfa86c367959

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEEG.exe

Filesize
961KB

MD5
bff560d177f0eabf1f78b8c5f1d1bdae

SHA1
12e1cb15767a5d9ef275f768786d31c05db8becd

SHA256
3486cf3fcf39eb5c0bbde83e2d066c0f6c4db01ea5b12b33447f5c4829f7d089

SHA512
c9b4f95c65e563f082877ebae8d7bea5ea9611c55e45afcbb2d68df89c4e36d7669e9450001c447ae81341e1df3cd22031b4be70df76a6325af43facf50cbd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAYA.exe

Filesize
112KB

MD5
1031790104d6191f9564ccb4dea81a0e

SHA1
81801535ae5a62291caa95adac3d5b5c1950c45f

SHA256
4cc51188b7e225a702958f7a2308f841f50390c2ffd9a004ab7dcf0e3d7e3b71

SHA512
b1f32b4b2dd8d93978864a9529138567ac5830a941345dba24395d31cbe0a39b26ffd00c9fa952b7b2eba5108ae84a3bb9e3c525ce0977384fed36473eb20f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAoW.exe

Filesize
111KB

MD5
54b34a7c91b9b01de26c51b1954e4eef

SHA1
28ff5aebf841cc9546584432e625127d1e1a8bd4

SHA256
33616d0081a482526f9f6ebaadc69230bfcc613948e1b5dbfd8c04fc012403a2

SHA512
a5449801161869461fdbbedfa90487919d2bc2edc519bcb3a98d232549f6f204df69145598cd1be3a9bd1b17ccb3d3798857fa759ffcc9c3fc29cf5c6e4810c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcQE.exe

Filesize
114KB

MD5
7612a1c6e7e26c906fd87ee878d6a819

SHA1
06c46c4d93cd885d96da55addc40274ddd40b71c

SHA256
acaa5f668c0cc130f6b21d49159e63fcf084d75c5ead8fde9216bfedfaa7817e

SHA512
b599044e8e4df97d8f4061997f4b44079d1b684b6211bca1b97427a1a27dbc45371fcc0cbdb9cd526efb4a4a521b3e6b79812fece0b95cc33cebac3b765a0ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEoM.exe

Filesize
112KB

MD5
2bcc6aa603b127274388e167619a7c90

SHA1
10412b95e662c4b3a40caf5413e949e8837d84fa

SHA256
625b1314dbbccc1175192fc10bf3cb8bb1db8f8f91bea3fd23ff6ecb5a43aba7

SHA512
4be7b6180a181b5b327487cca82ec4713e215bf28797afc358f8891e834b34aeb1dc3861ecc4991c18d8ae20f98ffe633978552a72277897bd7db2784c3f3a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQsm.exe

Filesize
963KB

MD5
541ac55fdd8fdb01a689f235bb155139

SHA1
5db2f2fda07526356b548910382722169d42af8f

SHA256
dbd9bacb1b0926d0d78ae51086b2b98a0d8d0eb02fd3499f7dc519b23a8b4062

SHA512
34357a5c4e24f02b67a06ddd09eedf2bbced2cd399971cda26000ccaca3cc41fd7fb60cdf165187145f48c454d3f3e276877bf74581a13c0d5547327744fbbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMC.exe

Filesize
111KB

MD5
56e9d05396aa8e888286004341fdae4c

SHA1
e7bfde07e63a80a0d45c839e4e3e7b100db1d49d

SHA256
62d874e55f52c71a0400896558266857362d906668cc362cea973c9888873502

SHA512
f1b9fb3f5858e28cbc64b345018f2c5a8dcdc596fe1d08c2aabd230a89dc8106137dffbfa24d776c163dd55a5928e6c27b15b54044f8d7142874780292e3c36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQMG.exe

Filesize
116KB

MD5
3296012f860ff5c2c1b334e3d3b4c555

SHA1
d76ac4c7becf12b3a30235b3c243ae94ab4b36aa

SHA256
a3dacc2ebbc0f4d974c91f16f487a36b0254a9019e37413278988f209d20e463

SHA512
80acec103786a69b3be51b8983caa4b813f2b414c5a8add9ab26690a7a964c943f259925e88e1024d7e8d631009a6a4c9c94a47ce795604ab3bd82cffc87cd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoky.exe

Filesize
119KB

MD5
5852c5f33292c0476cfe0963fd0e603f

SHA1
a996b0d247d373b617b6ac589ef754d04acb2a75

SHA256
6875416929372f4d9313eaf72246ea1988eed87f9b88618d9327098118e4ca8e

SHA512
28e07b68d6894e7db7186f374141840c9cfcb84b8970f1ba244720ae988856c97ca0e5fa5d05ac774a28eaab7e5c2a3bf99da62e4400599d90364262ec20d314

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsoc.exe

Filesize
116KB

MD5
4fddb8f840ae037bc1c5f0cca84002b1

SHA1
a9df49260a3008f6e18f6f20db94b57b7cf6605d

SHA256
03f0cdad72120bc405a7e16b5cb319fca3b1ec6fe8c1069a811dd25aa0169b6b

SHA512
1663b2d475fa6c0511a8974bb36d78386c21500d3eb20f62f9a5a15e0f12c8bc1b392cb047beea1b92beae3d9b46284d44ce70b8ab5720aac9db78f408e61ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwkc.exe

Filesize
118KB

MD5
182d1f0bf9d9ac1c8f97ade33fe0e7df

SHA1
f0c30a196d7d4046a94e18a773bd605d5637c437

SHA256
a062095058f2df0a810925ab5380cb74ebd00089b511d9c1f24ce5d746ac6f94

SHA512
b61ddf3c67c1631f9ce4a7c3849cf9221fce2ae85dfc20bb8c53172e82c73acc821a41c15c53068402e2a46fd4472dc34b40296cbfbed854a3a2537511b6a1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoa.exe

Filesize
109KB

MD5
d8ee35ca70442e69580190762d0d44bd

SHA1
7a2b9e22fb700f039451e44b12cd9651cf9f87cc

SHA256
d741cd9c02ceeaeaca5340b08292eeae335361ca34427abc8d31caf3ce18f155

SHA512
bd9941da8bf2743ffa1db6144380d101df6f83e0e115f6f4a6410fed8ba6e3a80ce72a77a931f9b6f1113ca2b28eabcda219f0a4739e1a958b12fa85ac609940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikYg.exe

Filesize
529KB

MD5
7dde251b7cad2414da67863bb58c8613

SHA1
a059ec5c85dfb792cca87842569bf5beab1d1ccf

SHA256
4a9abe1514b571dc02c94d4523e461e0454361276eb135e194a71b465e05038e

SHA512
64ae4f5fbf7fef8681f73d7ac8ef9e85816055239be7cb5d993a95971199cc40efa2b2387ec939a8da9a8dfaa9899e6bb82348c815139c2ac51748a26b9c5f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iooC.exe

Filesize
116KB

MD5
1642f335fced207e74171478f7dc2adb

SHA1
4e647e7b55694f4b5da224240727051136f2981d

SHA256
4d588dbf7e6a5add13da3cc7deecb76c737a001052fa141f3b4c0de6bdd6f49f

SHA512
9ddd6fbeb0ed97489821798cd92bf73f630c36a34403932358776f36dcde174f260ccf90f245f6ac12a894a77d088e825f1617eeecd1d47db93ca0318a185ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIIQ.exe

Filesize
770KB

MD5
1663eaeb288f684d576d745928a1057f

SHA1
b8b9e9dd00048cbf32a8c79c3bd49c5773fd6549

SHA256
4d4c4fec1da5a0f102da775825091574cca92c1c231dd76bab1ba37814e0f80f

SHA512
52f4f67055b2fb01a88a0940f2b51f169f6079116042fe7b79a04acadacebc44b3757d0e33a7820b81c39d3759668a5db53f22051ac8b3ade4b305b39b92eca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMwq.exe

Filesize
111KB

MD5
cf4d6b8f6c3a6600ec52b7cb91eb65a8

SHA1
bac36ae3d13066cfb0b76a746fec7fc581112303

SHA256
a1ca6a072b7a019a29e3e7773a283a73b335c164ba1a8b80923bfb3a4aaafc98

SHA512
c1959d4843ca117329ead209ca1ee5017b4f1b0e4500462e0d5b7b7a1d6a563ee9dc7488b15737d52712a2dcd2b31d63729d9aa077f8346ee3492ccad73c0ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMg.exe

Filesize
237KB

MD5
5a7b09d0e7611d24e08486700d070aaf

SHA1
7da7fbb8a71bbfa757c504f19a5284ef89694b2c

SHA256
c5c14b05597902a90076fb34991bc45c30bd63e90a7cd4bf113f8eabf661a559

SHA512
dc4dfa5e8d65e83efee54890f3b7c41db096c0a86f87d3ba96ac395e637b05671e792c1296fce2eddf84b83dd3a7891ff562d9d931c4726944a83fa69863c4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAsE.exe

Filesize
111KB

MD5
c4196f8a2a998eb9e8f20c5417155a05

SHA1
e0853848d608d371aad76b0b877f5d09cb600afe

SHA256
2001c6fb366675c92ad5354ec46fb70ca05765afca4ae20f1d5dbeb399fa6b36

SHA512
ab8576f1a512903fd585c898750552f3836071ca4a89a5bcdef98b070c9e348dfb85ab1a448856218e870a80f797bf5260a047d3cb6d0bb3928140bd1ee88480

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQsI.exe

Filesize
114KB

MD5
7a5a6120a7aff8ce3a974f5abf15aa33

SHA1
c17b96ff7a4b8b039a6e7d9de6ab37af8856f66d

SHA256
36436c3f3d4b11538d84a762b6643748778160ad8efc4ce4d984fb8bb0f50165

SHA512
68cd97a9e890e0312084c0a4c4c9427767b334aefb2e403bf0a9451f5044962ea8e5eaf150e730bafbdfdca0f79d97e2f648cbbfb600bb2e456371b044d02bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwke.exe

Filesize
2.2MB

MD5
70979c5bb8d7dc16b24ddeb02ed14faf

SHA1
c32d517478631ea53c45a1f2daf2c6017494055e

SHA256
72dad6a5e541a6107da446844180a5dcec01d91069ce7bca2a08e35c588b3f30

SHA512
64efa84eb5fb27ee2290f314321697b63fffff80d572621051b90035ea51392a0b821545311b8c807fdaaa88966203984557cfcbe83e052a784300f568ea6504

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMIK.exe

Filesize
111KB

MD5
8fc844ad03cb370c30b75837665c774b

SHA1
52629f07299d89ba5d53de23ca4bdf23c1fdc2c9

SHA256
5e3ac2b1cd0b4c97fdf554661b0e87e461800543a0fc4ed211c468dfe77b5188

SHA512
b7d0f937d734423eae9015e5002448dcec473dcea0b1c7a9ac5d6355739e72ca86ec2542bfdb2a4317f967ab254cb96ee4b41a35e2d19bf6c3444c641c4d036c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIkK.exe

Filesize
111KB

MD5
7bea4d156a4cb8d46708bb117fa398ae

SHA1
78f35b9a95025f16b3a0f438d4c3aa97a27707dd

SHA256
d2add8897d44503a21d88f11e310d67ddaf399161fa9b0b6efff72495dd2456a

SHA512
04edd81f41f72dfa5a596837222553cd13f93118bd3be81e3834426527343652315e2ca4dea87146cedb15a735e0d0916e203b5b9db74062ae6fda7f80421caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngwa.exe

Filesize
109KB

MD5
513bbeeb48e5076a5bc5ba418df74b21

SHA1
fb4345bd4d273524d1995b7448eaf27cfd679198

SHA256
e08f7dd85f8df06bca73c41168219d939d588bfa437b24c6f82bbe4bf42deea4

SHA512
e2fc1a09d761e6040f058baf3f0b2f8e9cf3548c6cc1b64fdf050881db7fea729fa127bccefa391fd3534a89ee1c4a8b8ca5b56239232ec929aff8111794cc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwcG.exe

Filesize
120KB

MD5
b5623d08b70e0d66b21e158db58043ed

SHA1
f370f36cdc1aee103ec77dc8085cb420729e001c

SHA256
0a4cec3bfa72d48249e6ebf081c861348f2f98944a2b551cc4c690a77c65d0d1

SHA512
1397e829ee4da023f0f6af682223d45602b37e557e05976353b9eb1a345c508c005b7f7ee67ac5d009e1bda8569d6805944a16f2bd416c689260094359a4f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYke.exe

Filesize
113KB

MD5
5280bcd9fd2f4f3208f792788206e508

SHA1
4e311282cbc8c2f7102ee403ac853f219ca3054a

SHA256
35e7286ff88771bdcf8d0d57fed06d6f628c0fda18f97f339cc054fc78c448d8

SHA512
3d98a56717dd20f23c86c6fd325c73ffac8a5d0d80c8ec4811b6f2bef7ce731503a02a2e2de4ae58bdb050b59ab096ba53bebf5ceb8cbdd5333a41a9cb69e66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQQs.exe

Filesize
109KB

MD5
79dcbe18951d2d62870bff717c202dea

SHA1
2340fb4df802ba98ff16a1dbae64c1f8552d6a73

SHA256
0e440bb0e69bd426cae91b03c5b2d50ff1e8d8e54cf73a3500c52e93d2659399

SHA512
41da5e3d7400b38241310c711e6fa42b9b6c4255b2166c8677905fd5a98e5e0f5a67220015520ca434019c919670efa33fa6566edaa64e3f5581891c2e1c7313

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQsA.exe

Filesize
5.8MB

MD5
8bbb7978859160d7064ba79e7738f415

SHA1
cf11a9c358be5b62831a03daa18d28e420b4896e

SHA256
48d2719d08059a4927acdcb01be0c899d7e681cf98bbe5a93b095f95ec897b33

SHA512
bf1b88579a8809bf5ff7409035a1c8395dcbb8cb7769fe970d7d37352a73ceb9cca6bbca66e996ed7bb7ffe0afcca23df3c5786e58c771126556fe625a79ae36

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEgS.exe

Filesize
112KB

MD5
90091846363222ad8384527ac4f28916

SHA1
f150526e5ff6283f8df4110ba3bdc61279572840

SHA256
299e74cfc2462b65060fd79850da8abbb70458ec090e6a24db55b3f37b27c2f4

SHA512
05d62d616bea0fab262f3fc7f592b19191023f97f331338b14a3870f6ca35a73cbf7b16cac212090520e8dbee43342dedb9c3ee6e889f7e6d4d38617b79eb16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMgy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcm.exe

Filesize
111KB

MD5
cdda0b218878d38eede6628a6d2b01dd

SHA1
339af4d278a1ad7ad05e84d185cb86c70cda8dc1

SHA256
976d9d65030b89de969da7aa80a7866f9d24c5ac0167a2550dddb404f6878cb9

SHA512
4258bb7da45df7b3075fcb210587e68a4551384eda06af098e7acf46812bda000b7d660a400cc5e56c2521ff173eb8a368692d507eff7b8db5c3d55e347b00a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIUi.exe

Filesize
113KB

MD5
0349d061cffd8a50d39a5dae983a2a0f

SHA1
862d577ea0cf7052322337f2e0e7828c9fb97c23

SHA256
b3a65c27282bfe3c9fcc344abefe124f2754c98dffd4008eb0a70989a89af9f9

SHA512
5ea6dcee969733b5622433b8cc70abd5e829129ef7a09b31a7f90801534298e23bd0f1eb4a591f1e743b5572bffca7fc2c9df7cc977c952a1e1f1cb9a661021f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQQE.exe

Filesize
110KB

MD5
45983ed479c5f83cf07d405f44eb14c4

SHA1
712f8d97f67d979257bd78e77746fecebdcbb684

SHA256
5eff381ef0433b9a5fd62fcdde8dc07782cdc9b64219f0b0e85fceb7a2784b44

SHA512
18393bf16964ed671756db1e3e7d0b28317ea01933a9db4f1db25d459462e1120bf03143f57d7371f8d5d0f87586747c26d473140b1b04d4beaf364922f4dd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAwk.exe

Filesize
111KB

MD5
7b524ef3854597bfa32b0c6a6ccbb29a

SHA1
4332af10d1bf30064b555c606c3f2e6973924c5c

SHA256
b329aa7dc463a7fdf262ba4f205ff8871285118cfcd7dcbbe22a24819ee1f749

SHA512
d0faf947f78f95652227f582862dc18ab3467a491e9179d0f25038f15804b9f490fbb518905638da906fb74b9287d394c05bd4693f78d1bbe810f80a846e62fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEko.exe

Filesize
384KB

MD5
d7b47d1930d6cc5429689cfda9defa04

SHA1
51468ab0b003d24dfb40c73c907026cac25e74e8

SHA256
f13b3f5f43deeb89f61a97a6c7b81d3eea442bf9bce350ee502d15cda807fd1d

SHA512
ee31bf31180376f708c5fa22ee3a0ea135ca0ee51f3e6e861b8da90dece9499770bc892517d1c2ff97d94e107f73599550bfa2293788ac114a40ccef66eba3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUgE.exe

Filesize
113KB

MD5
a08cb550f47cd64af3f6ffe9316f49f1

SHA1
e0abd21471abf57a611399a4e22c3016c48115f8

SHA256
c451469ffe2a0ccc2d0885f0dd660314aa4a7c8e6dfe22874962d34bfd7767a7

SHA512
bf51ac23ac83f4f35bf932cf1707b09b6f9a7037e3076bfe9626c4180a90751c5e6605c51e0ba2071d51a4c5b3286deca31824f7d43a105e1829b25e403048c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgW.exe

Filesize
117KB

MD5
de624cd44f2c54657f0c0489152bd5a5

SHA1
60bdcaba555cacaaf049729415a88642fb008efe

SHA256
19c007b6147d0c2f848630b6d260ef1eb2d284a19cf3f9a2566fa1051c275683

SHA512
f2a9d400319b23cb884f3f6dfc5ad0fc9ea3318d62e9ed7c05466102420638a23528cce01e628f20f5389ee9cf11303203e2371a1a6e86bfce54c8781ef055c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wssA.exe

Filesize
698KB

MD5
8680c6fde6e7833d99622044a432677a

SHA1
f63c8db3f07140c4f141a08f638b36a00e2e832b

SHA256
a4e5d2c74c32d5fec22ca0efe6758995431d7fbc19151cc63e477401f2d74e23

SHA512
29cb8b680b1cea4481a8e0be57a8574d2c41809a899579f743a504d1eecfea30042bc847553451400092d9b9d2fc575e6cd5e59d50ca97fb9dc140a86b108832

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQQE.exe

Filesize
347KB

MD5
82d3d3776c298315a2dff4d19817a87f

SHA1
f577e3d2d1438d748486e8b5cf0dcf82daabeb9b

SHA256
99f26c18e7420feed8f623725350fb7904e69210435193cd810299165b196170

SHA512
58ec4f90bd0940845fcd2f09fa0ffe7a9f36975186c8247d6dd71823c87608f8598b614da52ce181555722873d6f1bfad31701c9feb077b88eeaea2131a5c939

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggokwkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoMo.exe

Filesize
110KB

MD5
ca460c031784712e7c3a5fca1d0f1a51

SHA1
65a23db5d802784a83978a1bbd09b2db7e939ff7

SHA256
2a836bc841a7eb79674914b6678f045857f9458305dd0164864bcd6c95b87138

SHA512
6853cbc2a988b4ae8d7ae55d3fd4ab3ff1b91fa4b95ed71a0ed10ecbad22de6064a7f3a4a8630af0ba88f0ec4cc96073e612b5097dd112d5e85493811604cae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEEI.exe

Filesize
112KB

MD5
e8eb4138db688d00eabcea6dcdf0517d

SHA1
1394b9fd03e38b2d155fc111c031204e276ee9a2

SHA256
5be4ef2b9486acc6ed78f6eb71f5039f91f55f42d471f83eba80f4ab9476b3a4

SHA512
495eaea8785f5d4814f0a564b0ca412efb789b62430a4e7f5289ab9d78a6d6fbce28fba7b58f638d3169b1a082656647a902cc6c02d79a0b2822cf428d80ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\zksI.exe

Filesize
154KB

MD5
d73db8e200cbbe5421194deefde93127

SHA1
91283db9728434c57837e4c7277fd269f5564f6c

SHA256
6b5a2e684b799a7eee2a0b6fb3256c1a5da39ec4b95d5383ad0d76dd9d89dc5b

SHA512
9b68679e9a98626564b6a3098d43780e152a81b3090e51a7395000a2f295ef7b70a2b8b71882129c30321b2389e7fdbfb6ea193c907667f64f529bd064a24625

Download Submit
C:\Users\Admin\AppData\Roaming\OutRequest.mp3.exe

Filesize
467KB

MD5
70da0bce236d85c8757e24417cc4bab5

SHA1
5e13071075cafc87d47241038f5af31e4012963f

SHA256
49b11103ed1e693a0e06f9eb9aec03fb5b36172bee0c5de6ef50f4c2612342b3

SHA512
63ba2879ab57f607a2bc8a8967679d6279e8357954c978f0dac488313aa6187a0d56c22161311ea71bd5e7339a87dec98f623efbdb8a83d17c5e330aa341d210

Download Submit
C:\Users\Admin\xksEcwIU\MKQgQcUM.exe

Filesize
110KB

MD5
fe6305fbf7fd79d5fb6bcc2f8aa2919d

SHA1
099ca56f82cd22cb1005f9c8991e4e0419395b72

SHA256
8af5dab8e09ffae83b4b20acb0a8dfa6620d4d1beee599a367d22eca4248a3c7

SHA512
36cf05bdfc0944f968d4b80dfac410849cc7f86f6c37cd9b491061e07b03964ad16941800c1433452544224dbb425f8b9704c37d65443ee23047be28b1f024cb

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
9fa974db5008271d070410ce04021da3

SHA1
f4d8da91748c19795f5c77c61823e26be7f2e4d3

SHA256
a8f1129bc2a2055d9ca36102bc36f7ee846678cf8ff9d9f3ba6ced49e350e68b

SHA512
8574e53f1f660aedff6c7fd031cb63ce74ab809d85e45316ad69563bb207128d22265641f40d747a26aafb4887beacf31a71ea804b31745e4569372e0b449610

Download Submit
memory/408-312-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/640-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/640-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/744-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/744-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/856-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/856-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/932-65-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/932-35-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/964-64-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/964-36-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1172-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1272-371-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1520-189-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1624-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1668-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1668-166-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-162-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-177-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-258-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1804-131-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1804-117-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1956-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1956-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-232-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-248-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2248-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2276-108-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2276-93-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-363-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2492-351-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2848-154-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2852-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2912-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3004-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3004-224-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3064-37-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3064-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3096-282-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3096-295-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3116-329-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3116-318-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3304-321-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3304-308-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3324-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3400-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3400-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3528-355-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3600-85-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3676-303-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3676-291-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4416-267-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4416-259-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4432-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4432-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4476-338-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4476-346-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4600-268-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4600-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4856-212-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5064-337-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download