065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 18:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
Size

138KB
MD5

5b7d116dcd141409712d52fc2634151d
SHA1

735f53f6ae5eeb811cc8dfb0151be6e3ca1ce5d8
SHA256

065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
SHA512

2935a1241377892efdac0cd989605a922e73b95278feb1f7c9c816cd868197c42dc5223345a6fec7caec3a077dce3eef8001f8c6b7767822a3076a39f90ed7c3
SSDEEP

3072:n5v3H8Cip2wc2BQa8kyEU+1W8cW12s2hIbsini+KRIft5ZrDY0w7q/bUTFDQpu8z:n5v38Bct2IeUJC12obpPKiFXi7wwTFVE

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	1052	Process not Found
28	1052	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	aeIsIIQk.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	aeIsIIQk.exe
3488	tmcIsYgk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aeIsIIQk.exe = "C:\\Users\\Admin\\AKUkgQgU\\aeIsIIQk.exe"	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tmcIsYgk.exe = "C:\\ProgramData\\WCYsUcYQ\\tmcIsYgk.exe"	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aeIsIIQk.exe = "C:\\Users\\Admin\\AKUkgQgU\\aeIsIIQk.exe"	aeIsIIQk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tmcIsYgk.exe = "C:\\ProgramData\\WCYsUcYQ\\tmcIsYgk.exe"	tmcIsYgk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	aeIsIIQk.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	aeIsIIQk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3020	reg.exe
2216	reg.exe
3548	reg.exe
2740	reg.exe
2556	reg.exe
404	reg.exe
2704	reg.exe
2976	reg.exe
3472	reg.exe
1924	reg.exe
1664	reg.exe
4072	reg.exe
2328	reg.exe
2216	reg.exe
3080	reg.exe
3872	reg.exe
4620	reg.exe
4768	reg.exe
392	reg.exe
448	reg.exe
2652	reg.exe
4692	reg.exe
4852	reg.exe
3804	reg.exe
2760	reg.exe
4816	reg.exe
2944	reg.exe
1452	reg.exe
4416	reg.exe
3176	reg.exe
1944	reg.exe
3748	reg.exe
3424	reg.exe
4408	reg.exe
4248	reg.exe
3416	reg.exe
3708	reg.exe
4524	reg.exe
1624	reg.exe
4756	reg.exe
5020	reg.exe
1040	reg.exe
4356	reg.exe
4524	reg.exe
4336	reg.exe
1192	reg.exe
4496	reg.exe
3436	reg.exe
4276	reg.exe
2760	reg.exe
4648	reg.exe
2076	reg.exe
2264	reg.exe
1152	reg.exe
1192	reg.exe
3272	reg.exe
5036	reg.exe
3116	reg.exe
2300	reg.exe
2400	reg.exe
4864	reg.exe
4468	reg.exe
1544	reg.exe
536	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2384	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2384	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2384	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2384	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2712	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2712	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2712	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
2712	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4844	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4844	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4844	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4844	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3416	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3416	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3416	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3416	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4796	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4796	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4796	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4796	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
840	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
840	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
840	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
840	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4112	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4112	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4112	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4112	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4348	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4348	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4348	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4348	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1192	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1192	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1192	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1192	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3040	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3040	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3040	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
3040	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4944	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4944	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4944	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4944	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1932	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1932	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1932	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
1932	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4508	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4508	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4508	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
4508	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	aeIsIIQk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe
2044	aeIsIIQk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2044	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	83
PID 4000 wrote to memory of 2044	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	83
PID 4000 wrote to memory of 2044	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	83
PID 4000 wrote to memory of 3488	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	84
PID 4000 wrote to memory of 3488	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	84
PID 4000 wrote to memory of 3488	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	84
PID 4000 wrote to memory of 60	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	85
PID 4000 wrote to memory of 60	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	85
PID 4000 wrote to memory of 60	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	85
PID 60 wrote to memory of 968	60	cmd.exe	87
PID 60 wrote to memory of 968	60	cmd.exe	87
PID 60 wrote to memory of 968	60	cmd.exe	87
PID 4000 wrote to memory of 392	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	88
PID 4000 wrote to memory of 392	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	88
PID 4000 wrote to memory of 392	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	88
PID 4000 wrote to memory of 2188	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	89
PID 4000 wrote to memory of 2188	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	89
PID 4000 wrote to memory of 2188	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	89
PID 4000 wrote to memory of 3772	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	90
PID 4000 wrote to memory of 3772	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	90
PID 4000 wrote to memory of 3772	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	90
PID 4000 wrote to memory of 2160	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	91
PID 4000 wrote to memory of 2160	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	91
PID 4000 wrote to memory of 2160	4000	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	91
PID 968 wrote to memory of 4812	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	97
PID 968 wrote to memory of 4812	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	97
PID 968 wrote to memory of 4812	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	97
PID 2160 wrote to memory of 2280	2160	cmd.exe	99
PID 2160 wrote to memory of 2280	2160	cmd.exe	99
PID 2160 wrote to memory of 2280	2160	cmd.exe	99
PID 4812 wrote to memory of 3544	4812	cmd.exe	100
PID 4812 wrote to memory of 3544	4812	cmd.exe	100
PID 4812 wrote to memory of 3544	4812	cmd.exe	100
PID 968 wrote to memory of 2540	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	101
PID 968 wrote to memory of 2540	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	101
PID 968 wrote to memory of 2540	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	101
PID 968 wrote to memory of 4508	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	102
PID 968 wrote to memory of 4508	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	102
PID 968 wrote to memory of 4508	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	102
PID 968 wrote to memory of 1612	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	103
PID 968 wrote to memory of 1612	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	103
PID 968 wrote to memory of 1612	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	103
PID 968 wrote to memory of 4108	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	104
PID 968 wrote to memory of 4108	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	104
PID 968 wrote to memory of 4108	968	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	104
PID 4108 wrote to memory of 3412	4108	cmd.exe	171
PID 4108 wrote to memory of 3412	4108	cmd.exe	171
PID 4108 wrote to memory of 3412	4108	cmd.exe	171
PID 3544 wrote to memory of 1220	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	110
PID 3544 wrote to memory of 1220	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	110
PID 3544 wrote to memory of 1220	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	110
PID 1220 wrote to memory of 2384	1220	cmd.exe	183
PID 1220 wrote to memory of 2384	1220	cmd.exe	183
PID 1220 wrote to memory of 2384	1220	cmd.exe	183
PID 3544 wrote to memory of 1536	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	113
PID 3544 wrote to memory of 1536	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	113
PID 3544 wrote to memory of 1536	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	113
PID 3544 wrote to memory of 3076	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	114
PID 3544 wrote to memory of 3076	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	114
PID 3544 wrote to memory of 3076	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	114
PID 3544 wrote to memory of 1820	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	115
PID 3544 wrote to memory of 1820	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	115
PID 3544 wrote to memory of 1820	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	115
PID 3544 wrote to memory of 4604	3544	065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe	116

C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
"C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AKUkgQgU\aeIsIIQk.exe
  "C:\Users\Admin\AKUkgQgU\aeIsIIQk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2044
- C:\ProgramData\WCYsUcYQ\tmcIsYgk.exe
  "C:\ProgramData\WCYsUcYQ\tmcIsYgk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
    C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        8⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        10⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        12⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        14⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        16⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        18⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        20⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        22⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        24⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        26⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        28⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        30⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        32⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        33⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        34⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        35⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        36⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        37⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        38⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        39⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        40⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        41⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        42⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        43⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        44⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        45⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        46⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        47⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        48⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        49⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        50⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        51⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        52⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        53⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        54⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        55⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        56⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        57⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        58⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        59⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        60⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        61⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        62⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        63⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        64⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        65⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        66⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        67⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        68⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        69⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        70⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        71⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        72⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        73⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        74⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        75⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        76⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        77⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        78⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        79⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        80⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        81⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        82⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        83⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        84⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        85⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        86⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        87⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        88⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        89⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        90⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        91⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        92⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        93⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        94⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        95⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        96⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        97⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        98⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        99⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        100⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        101⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        102⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        103⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        104⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        105⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        106⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        107⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        108⤵
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        109⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        110⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        111⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        112⤵
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        113⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        114⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        115⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        116⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        117⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        118⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        119⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        120⤵
        
        PID:716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        121⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        122⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        123⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        124⤵
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        125⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        126⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        127⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        128⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        129⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        130⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        131⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        132⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        133⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        134⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        135⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        136⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        137⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        138⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        139⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        140⤵
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        141⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        142⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        143⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        144⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        145⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        146⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        147⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        148⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        149⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        150⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        151⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        152⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        153⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        154⤵
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        155⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        156⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        157⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        158⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        159⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        160⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        161⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        162⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        163⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        164⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        165⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        166⤵
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        167⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        168⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        169⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        170⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        171⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        172⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        173⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        174⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        175⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        176⤵
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        177⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        178⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        179⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        180⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        181⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        182⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        183⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        184⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        185⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        186⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        187⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        188⤵
        
        PID:1700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        189⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be"
        190⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe
        
        C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be
        191⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUAQsIoY.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        190⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syQEcEkU.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        188⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEAcMEMo.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        186⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmQoIMQo.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        184⤵
        
        PID:460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fooooAIw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        182⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMMocAUI.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        180⤵
        
        PID:664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSccQIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        178⤵
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOggAEYE.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        176⤵
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSIUQgUw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        174⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMwUsEwU.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        172⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIUkckEU.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        170⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCUwgEkw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        168⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYQwYYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        166⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoMQIgIY.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        164⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OokQAsMw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        162⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuEMsswE.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        160⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgowMMAo.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        158⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeoEMEgk.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        156⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poMkEMgc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        154⤵
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wegUUkog.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        152⤵
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqIEMEcs.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        150⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEEwgIQA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        148⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaEEkQEc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        146⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOkwokwI.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        144⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIEMIsww.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        142⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuQskQww.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        140⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmMkEkEY.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        138⤵
        
        PID:676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOosoAIM.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        136⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmgYkEkw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        134⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGIAcwYA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        132⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcEYcgQs.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        130⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCIAEkwM.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        128⤵
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKAcUUMg.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        126⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyIUYUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        124⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewMwMMkE.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        122⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWkwMAoU.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        120⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcwwwsgk.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        118⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYogYskE.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        116⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smcoUkow.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        114⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syoMQkIw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        112⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSgkkskY.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        110⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqYIkcwM.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        108⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaIoQokQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        106⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmMscckE.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        104⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIQIsoso.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        102⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmYowwgc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        100⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmMkYkwA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        98⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKYwIMIg.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        96⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EagQUAIk.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        94⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYQgoUkw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        92⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGgkgwMA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        90⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEoMgAcA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        88⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeIkQgAc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        86⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuEcoYsU.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        84⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIAwwEgA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        82⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYMIIUos.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        80⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyUgcIUY.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        78⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsskkAQI.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        76⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgYQIMEE.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        74⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqUMUsgA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        72⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUIksQAc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        70⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imgoswYc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        68⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQkAAoEc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        66⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUAccMYc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        64⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUQwMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        62⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOsYcEck.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        60⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUQQcQYs.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        58⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQEYYskU.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        56⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iawwskcc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        54⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkEIgEgk.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        52⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaQsgAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        50⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuwIIMYg.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        48⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BekYUsIY.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        46⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgUwcEIo.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        44⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XowQkYIc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        42⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guwcsIss.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        40⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKUUUoMI.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        38⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCsgkAUo.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        36⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmwEssQA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        34⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCwMQcUc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        32⤵
        
        PID:1408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teYQMgEs.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        30⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqUcksQo.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        28⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQQwQoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        26⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iswEMwsc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        24⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmwckEsI.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        22⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQQQQoMo.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        20⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcEIUMcE.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        18⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEkgIEI.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        16⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuMQAkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        14⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUUwAksw.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        12⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggQoYowc.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        10⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuoMoIAg.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        8⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:624
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3076
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckoEoskQ.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
        6⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3420
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4508
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmMkMkUA.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:392
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2188
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYEooAYM.bat" "C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2280

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5056

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv gwrjv9XnhESR+QAa4WM1IA.0.2
1⤵
PID:3040

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
556KB

MD5
b3921a37bb52392c3e76e22de5646d64

SHA1
1c6ce864edad95a89ef5573bba3d05a369827ee0

SHA256
c4104fc22b9c34c4c66a9ecfc526a4b0e83928de04a3dd3cb9302916ba76b7c0

SHA512
40e8fe031a1e8a4fd1d6ea2a06e15398b3a5e00b8b8f69ae0ca0567b8fcd771dde6c3cd35a839820af354568a53316db5a2129a3784abaca69be0c22b2eb3fe8

Download Submit
C:\ProgramData\WCYsUcYQ\tmcIsYgk.exe

Filesize
109KB

MD5
73acd8405022b08acd768d979f8f90d9

SHA1
95c13073d0f67a893333eef6df42286374f91eda

SHA256
3b24eb58cea77b37b489f17b0c99e01a2cd1df7c7803c6bebb00ee79abc00a21

SHA512
721819c69d7e452419057530e8f3a69b78e48f8e57ec91fe4c94d62c01ee9a0eb3b14ff60ddf22b185778be8f06192c8e8cbc73bd59e7dd6e85dd89eee901ee6

Download Submit
C:\Users\Admin\AKUkgQgU\aeIsIIQk.exe

Filesize
108KB

MD5
85479c0458742e767b182e44a90837bb

SHA1
cf8518111e657ff77fb8cc4e1b116c199ffd36b9

SHA256
8629e198e2bd6b9c5b56246dcce4d00169d7fb88f0b2051eb1fc0bb574d215eb

SHA512
5b7a53cc11aacd36bb15e5907f50cb9691d929c061215efe818ad7dc38a1015c049371fe1bd08655cc919824122752e54fa61ab26c20225daf18405eb7e0ac65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
117KB

MD5
fdaf0d598f6ccbeb4760c9d2b8e5b22a

SHA1
9f1b62d5826163cea7d5bd2fc487ea4f6c9ac28f

SHA256
931845423284f7132bbc813eae06a0c0079f8734162c35d566b392ea28dfda44

SHA512
d0636149edd482c61bcdaa3f07b9c99c5dfa50614eef18eaccead1b59985fe6c945fc8754bec257dec00506e5726d9bde03088c914f719c2b9849c43c27e0cb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
113KB

MD5
961b853bcdc1d175e79289ee2ce05174

SHA1
b2c8d8e54239fbc4aa00ca04eb2ea947a6c0a78f

SHA256
c31602df297e068208ba65d50153638949cabb75b6282ab46a5f5beab396d26f

SHA512
0443fddf36eca3bee7ecbb63650508269f8c92b0004a1b7b1071c2b43336278cf6f569a935e8f64e2ed13fb5eff3ec1b7611d90806baef68292a2242a76fdeb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
113KB

MD5
dc3a5390b7ea7e2d8a025cd1808e31b5

SHA1
5cb7f0933c24119ae613376682874cfd05a78f9d

SHA256
04bbaca8cb8db91b19fa663d6f79a6e6e4a242892e4005903e1bc22aeea176b6

SHA512
21951204d3c8831a9d1ed22068e8100d748528add25ae32307a93a724ec26ef78beb525e17ee951f2f3a30fce1e352009c3dad7f15c7514017e6eb44f5f43899

Download Submit
C:\Users\Admin\AppData\Local\Temp\065298b42028677b2db24bfc68b0354121ac0607fc8d2b6a7fdf72d687ef01be

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIQU.exe

Filesize
122KB

MD5
8e058fb4db9de00c1760aa41271ea292

SHA1
771751a864f826eb1fb3e9640dd509ca0ab1ef8e

SHA256
597327734f03420be0d55f64724db45fc285567bf0327ab5a7b5871f09f00a7b

SHA512
a92f72101447030f28cd314a1f4dcc0ee6e826244900fbcd30dcecfd244cc1924536e8e8d15a8b8f72710dc504878a84c7d58e5fe96788668852a26c0426025a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUAw.exe

Filesize
702KB

MD5
f81eaa28ee5e33a338137a82242ef82f

SHA1
7731643c761f978f630009f1989d85dda6214fa8

SHA256
045c9897d7c2d283570e3e3f2c46070399e3de15cff661a427f1360e69c170df

SHA512
a01871030dceca91a296dafe1ff52ac5cc53772d5419bc759aaa6a58e92120be270f036aa7be084e5cc0872a27905a6873d2453d712ae34f7e2e08922759ef48

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgm.exe

Filesize
111KB

MD5
ebb8e9a65bb6334c14466932b2344c81

SHA1
01ce92c5a4a059480f6fec6316e0f5476120f141

SHA256
d16e94c81d993e3bdde1a8a76cff8f6e8d9169c144bbd1b217e8e11cb570ecef

SHA512
b7267387c27b103da0f6bf073f761c20372a5245ceb8e1b51f70907ec6a1ca9432c8f24a785320cbafe4b6cc4a91333ee00ea230aeb69ccaec976af10f0c6dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUki.exe

Filesize
596KB

MD5
0b403b379673efa9c0c31a0c590adc9f

SHA1
0ea12c2a2102afb5822df1cd6a0e1486c5af512a

SHA256
f9a5a068bdbeccbd60e12c04dcf59540e25b6ab415769711d6d72f0395c44cd1

SHA512
f82e16419a32b7409ecad7fe4f2bb7922e3eb96e5f531dfb79e0ad402732d73b41b9ec60ab9f81cc681c7a113a6e698fcac0c4e1710937ce1bbfe5b9b50a5204

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYsu.exe

Filesize
113KB

MD5
7e60fd324e2bd8310a2e3713c3bbc68c

SHA1
1894477f973aca3bf4e3bcfefb9ba4e84cefc512

SHA256
f5656a38f5bfa3db252d6a484cf40f6f85ab3c109ef46c8847e21d8fc6218580

SHA512
b8d594fc7fc186f8273374eec2104d08f07a19f66d9ee207582fb23c5000c584ae56177b7b5b7c8ba2837c33b5b2a739f5b43eda19ed88316340c5cbb48655c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoW.exe

Filesize
111KB

MD5
4ee02defde0ce80060e32afe204c8c04

SHA1
925ce85ca33b90d3f53d5424dcaeb8a20d476df6

SHA256
90c2cadabeac325172969070c007761147118604ed2d201b33e8c02f82260871

SHA512
76eecb81bef1025d864d6e57ff3aa7b26d770ffb64c08aa707aff20081255eff9d88dbbe88385b8093e5e17c57fa75092e51ec0e5e6c7edb1ca2a45a6262f912

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgs.exe

Filesize
753KB

MD5
4a5a0f103cea8ee63b393a11333202d7

SHA1
3ac82493779da4d0a4c944404c41d40278daff1c

SHA256
09ba4f3a4f2f4ab6108cddbb53a566448acc4fe7089d4dd45109175ed741148f

SHA512
755ef05270b6bbfcd09734fcbfb99187a3124f4ac6ba8793953a108a8584544633b8e1897b5b8b7a59e20f1f9bc60e846da7c4a3c905b16c69d088e3797688d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYAo.exe

Filesize
119KB

MD5
917842a357d268a952debc546bf3b2e5

SHA1
a62c1c33be4fca8fa75d662c4cba629207afe63a

SHA256
44fb36d7c4cd99c0584774b16ec4c93090dd01a896aedd7b0ab50318eef928fb

SHA512
1d16b948b287d329445b2b148ce5ec9ac921c588f29f435651c06e00a835d3f7ef83651708066164e95c0e13ec1a154a481d3d677848972bac27c1d1329bd0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMS.exe

Filesize
110KB

MD5
cd80c833b16d3c0dc70199b830555fc3

SHA1
f4d19984dd397aa36043cc5cf8f13212aaace766

SHA256
e34ffdafae29283368f86b2424cd71d3ee03dda7b6d9ce733b26db53236f1180

SHA512
9a321ea8e1b56a55825945cbfc6d1762192e122038666027b1cd8a1637a773c0666f2d9f55dd4834092cf798e3d4bae41de63111a32be26b091a5d65fdcf8bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwwC.exe

Filesize
149KB

MD5
445f6452bcef813eadb669d44100f170

SHA1
583e38f0f18dd82821af0a97ab1945fe3249a9b7

SHA256
493d9ff27c7c6697601d9af6e2d28f776d9e8d25c394accac2e4c1ec6f036013

SHA512
917e8e20763cfbb6329a5ab33a292f6f1abc1c6a720427f50ea2a42634b54fd250d1f78d49b2e14157845bf285a516583d192be949082f0db357de1bf7f6bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQcu.exe

Filesize
5.8MB

MD5
4e84a58693d3d069096e8e97362f6cdb

SHA1
48302deda8ee583c438577a78229f567b0c4ff6d

SHA256
f348253fbe80b688db88a8a87b7a48b4cf6be67ffae3afcbfdbc71541819bba0

SHA512
644ac2f644b3ac72d897754d6b2681bfd87c21c7da6d66d29280f5b6cdccf7a4354737bef030ec3ced4b0052f8f2810b3fa82e33edf3c7a5167e4888efb151a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsQs.exe

Filesize
116KB

MD5
fd653094b0deb877b788254d92b5ba3f

SHA1
d7405ffc0553d0430e140dbf88c17535237a3532

SHA256
171639921a7b9727d85d05825f939443fc2319f136667ec358c30f0b5f3bda5f

SHA512
10e9bb2fadec0fc1983c2e56c0b63065c58dbea78225e540c71693bf364948de105195761c6c8d44fbc2e4a8b45c22d17521911f77bafd9e7695f36afdcd9146

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAcy.exe

Filesize
250KB

MD5
f8db95fb53b6b6c9c3dd9c1fe4841a36

SHA1
709281c5bf3b0bd652467d70f6928dd6e206fa20

SHA256
0f9b40a25be2882b31c9504677bfd1af8580fe17e0dcacdd869be450911fcce9

SHA512
1637c3b1f2633fc988d978e386ae205bde25dde6402ade91a1b10835a15ab662ec299fb62107bbf645382defc552c7a830f60934c5f258654d31a83699c333ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAgM.exe

Filesize
112KB

MD5
48a3d271db4cfd6b40a010553c0bb417

SHA1
b0ddf1651d797a6557897ffaa00132a0a4fda6fd

SHA256
a7704a0db142016f8ffeaec494d3e793ee92afa0a87601153e69322e0e321e3b

SHA512
e3f0e611d4174f670d24a1d17b28a7129d62b3ef41bd4b898ebe2feaa70ac39c65f4e531bb39d571e68bd2e2c24e4fbac65ed5dba534d371b6ac8837411804f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAgq.exe

Filesize
110KB

MD5
da1182ee45752c3227c4c9f3a1fc4ef4

SHA1
e1bf2496d632db40be23bf4648c266fe32f0842c

SHA256
f8f658231ae788be2ddb525299e634934f41ac32148101a54ff04c1ec7ca6eb2

SHA512
bfc98a46152f3582938f07f3c94680d32aca9c1f219bf5dfd3f5335233940fa3d77720e049729a5f613995b86d579e992f1b704f5abbe6997ed4baee6c1e6830

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEcg.exe

Filesize
112KB

MD5
f17b523f99e5684ef42e2c030a5e08e3

SHA1
29dd3f2ace426a42895d83f8ccff5a6818d80930

SHA256
5a4632c778f76aeae682d8ee90c9a5b91c459ef92dd2acbaa8bd1b3729a2c7b8

SHA512
c39afd5d686c6d23a16f722142fccb12e8110fc7d5a38b30391ef675ea480c6d43d079be9d5ac979c7e415e86a39ca9764d3ef1d6d7c4d885842116a62127515

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcQU.exe

Filesize
154KB

MD5
ab81a098bc070e0ab24161fd49eba7d3

SHA1
e64c062fd6652e264afd6728053ce3cb58d45c64

SHA256
606d1432b994ec75617915c1480e0220c7eaa07a3ce71f21945ba0f9688acf7f

SHA512
5bae3400c74d06186ebda5354ace89431c7cecf843261f6885b791b171a0c14b070ce1dbd4a6a8b0d9b888c630d65861086f141445a2493f4293f303a8795f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcki.exe

Filesize
138KB

MD5
fa4285fb83e0287b532d32e6d99678ca

SHA1
cf2b851bd24c5a3065f9d1507b797ac235b69f33

SHA256
fc98d65559d9460b87990a36aa0a74aed980ebfda014d9aa4fe4cd41d7c01081

SHA512
fca554351a6531a69ac17bb306be6575a140471b0cc771f1e56431c8c8e1a787b5e8aa56a61be7c1e077428c1ec2bd226c75db2821d68ff3118af170cad0d0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggsa.exe

Filesize
113KB

MD5
549bef223b1044e2599a917bad2d4b58

SHA1
b43b38fb018a3a1eebdde18206310b84fd12613b

SHA256
6dca90dedfe4f72ee95d48d0ec1c9151aa104640e71fe47be47d0caaf18bdc0d

SHA512
cf641e606900bcf134eb67a977bef017a1fc2ff208a1542f08793e5ed094f833949b5b9292767ace304ec61236611df4e7567dab1be8da29eb538350b88074f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoEu.exe

Filesize
462KB

MD5
2f0e2feab2986b8e318414dbf33bd61e

SHA1
2e420fa4c33885f980ebebd859ddf0e8172ac2ff

SHA256
2264e0511a3840aebc087f714d74671d8bf9eb33fc63726786a6596ba1e82e7e

SHA512
259516d29735c1958a8a10c0fa9cb435603a46e7a4f0a0da8ca7f963f6c2f855ff3532af13e4900924b64d2350a5c01715e8fdf7be80fab8dc34d96b19bd1d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIEE.exe

Filesize
5.8MB

MD5
40af3cd207342e31126f725b40d2959e

SHA1
b7656e9208355e0b8feca569b096bb1578600242

SHA256
fd41c21240ebfa9fdafbed1413e43fca131f3eb80b2bf157f9b177231f817c50

SHA512
d52475ef9cab81ff330e7ff00c044a45a0a7db05209d61d9453b3ee3aca846f577987ce76cb11cb89ad2208cabf555d65d6e96bc19071b1fbaa2bc38ae80c91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcc.exe

Filesize
153KB

MD5
1a2ef59b4be6aa10140e502902eed042

SHA1
0e7bf7c79d029420a47f63c4f07c2c6d4268eed1

SHA256
5862d4f5c926819570fe0a53392fcabce52e20cce49e9b64c2436b9536179943

SHA512
5b7c3482bfc5e8851c52e9113afe65fe23d1e4e3b01d2e4414ccdfe7ee2ed5e0938f0a29c6dd94f43db5912ceee52162b826380f65891f255a5ad13c4c1c6860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwkU.exe

Filesize
114KB

MD5
bfdd85a65f8bbaac3a808e323ba1d8cc

SHA1
1e1f4f6698b8726992ceae4e7bf5fe990a27be78

SHA256
8812a30cd49f7f0f2a60fe60aefea437a01a4bbb7fbb24a6408d0fb3fb04a5d6

SHA512
b03b2f4f730d02bb8b84d1499b57a096b30fb4a5d1fd1217c451ef8c0f7f6d5182ac4cdfef736961a96fb0cb8a022e3dc56c37ffa98204c715f929be37e359a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAO.exe

Filesize
483KB

MD5
d80abb55f4674ecc2d753fc12cc52548

SHA1
12d215876ec93aa8b6a6f852c75eb18905e3983e

SHA256
4086e81d3ed10be2865b91c023407f411e0b00194ac01a6b52e5d78b1bd20c7c

SHA512
85cd43a5d47fe5a595e01ed4119d1fd1f7b1ee27a42a8844638edb2e4e8f41cefc20dcfd49e6ee604a69ba0bb4d5efb4f709c1e0f6e9a1f915165b4e2de4066a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUkk.exe

Filesize
929KB

MD5
08bb5470dcd61b7ebcc5b743b7d0988a

SHA1
ceb6bb23103aa82586e217603a3b7fe256cd6ef4

SHA256
5a7f2936d5c4d426dc92a385f4c34edab4812a90f8cdfa14f2b876a646f9e65d

SHA512
2b96881efb6c5c3d85833718462d6bef3c1004555ca8512efbb2d107654c57da9ca0f30e9679578e2c08444309362401f50a9b876fd6597b2a1770211197a98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoYY.exe

Filesize
743KB

MD5
b45837d8da910241c45d45e993050da3

SHA1
e6c58d2653762f87690ea97dc5d9405943ffc9f3

SHA256
c30d12b2118f64111e25ab473d6a93bc7b9dd5d66e5cee6a962b210e29677516

SHA512
9fd137dcbd0763d1e5dded928cdd4adb1196fceb89a4067bcd5146a31e54049897139e72b3d211226629c7d801f3eb382e904753c3e468519bc8aaf3bb1dcbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwwA.exe

Filesize
113KB

MD5
41cf78dbcd8a93a9a16e088c5c29a843

SHA1
9b07913c1788c67010bd80d28ae1af7a4f9aed66

SHA256
3c3ff993a2d95f3196fcf0f1c07e9003ed6ac602e87bbecc91d1c7cd3706daeb

SHA512
5b6ed5035a306c24cbc5523e6b6bc86223d2bb1976ab9bcf76002b9f69385dca76045761a72a5b8756539416caaacaaca269221e0b149c8cdd968e169a5aa83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQEK.exe

Filesize
1.2MB

MD5
1779432791a034864bd29600cb3d9c0c

SHA1
7f9a2be9cbe9023aad6fa1ede229f41084d4db98

SHA256
f02c25ad8191378ab3352ed74cebe0fbdbd10d4ea768a9ec7b172eb9b1d376fb

SHA512
7470d688ae30c10fdb7364fe41cd65e1a53a883e5634dd183bfa39decc169a5830ede1613d4a5282dc2a5f0525d96908c03c35ae902672452c11de414d6470f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkQM.exe

Filesize
139KB

MD5
1b709e1aae92f2ef7b719519ca74c3ba

SHA1
a410efb5a1d116f75fba3ca358ffa3fef51499ef

SHA256
036caa03c1935c5142c265f27c2538cf466c25150b8ddd9aec57b12f6e0af8d2

SHA512
04648f3516e1c845b97c4c847523cc890f7fcd43d68354458db7f827c53e556f55e3f5f6f905e6eeeb891d7737a254f332c85bbb4a381861d2cce6569b0fa302

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkE.exe

Filesize
110KB

MD5
77641423beb081edaeba288f6ea5679f

SHA1
b0b528ac353b1c0e823ce7e086a12e50057465fc

SHA256
7633eb03e1c8915254d8538e78cc90f068fdfca06e41f2defe10812501a5a495

SHA512
2b06e9c5125990601eace869178afd1e97652a9c33073d1dc0430978906fea8b84278f481d5808bf0264ddc1d5c903423f00274a9d2334f2325e50a290585ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggs.exe

Filesize
112KB

MD5
22bdf636aefe3d60e1be48bb25eadf51

SHA1
7e2279aab49015fc0a98eea6d25cb8ddcade9a01

SHA256
cd3a045ce08f54d8e900f07778d7915a2b7793d1cb53c962730c862b7f4a4234

SHA512
53f277367b76eee01bf9ce6a644ec3e38b850fd55cdad37bd1eff4ddcd8e6637793db0945b15293dd651a6922ec064d868e6d14a1820770fa013f0e1e1a936b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsQi.exe

Filesize
111KB

MD5
8b7b209486fdd2649a68980af07583fb

SHA1
0dd2f4b385beb5b56d5cbfae0ce4e89f27decc11

SHA256
eae39ac0c28c093bb3342aad5b69e5d7fe72acf593b5f81362e77621c701f26b

SHA512
af5602f6ccf10a188a862466a743e4508817bb00c8fde7c1516c2d12293116962dfcbbba139a36e69c123ece37faf21abf629f63f0cd0325655b9613ec156e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAog.exe

Filesize
5.8MB

MD5
81253b95a7ac95fb6f508ac05041740e

SHA1
1ec322b3fc2a4d2cca9f20c43a9d020a80b8ccb7

SHA256
f4afceabbb5ffd886735d3c96cc72ab1686893277cc2a0a13e40873e828159d2

SHA512
1535a4426d7af9646c5f3592f9d0b9adebeac90a92e9f79b50ba3b3f98b865d7d69f48aa0cde7c701b669151dfa5f82dbb8aa557ba68eeaa92879991c013d368

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIUi.exe

Filesize
743KB

MD5
181d7c5159b773c46c6174162c625f6d

SHA1
28059119f8b72b6ba301b8d37790c213e063e687

SHA256
fc1108e855e4ecb1efd26354c4f00c77e961587af2d7a2fe2558087ee376ca25

SHA512
869a69f08835a5453e56b676e5e4fdb603b7feb3e6e6edabdfb57367192a7e2c81d78ee53e9afc48bca278ebb3a4c3a1e2c16da39bb693b1e773d0daf5dd59cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMoo.exe

Filesize
120KB

MD5
b625253ec304abf55f1cff92afa15d4d

SHA1
2c2c694b3343afc651e7407fda615750f4f0e3af

SHA256
605c812acdc30bf2351c84996bcb0dc11010ef96ae50d1619ff2714f9ae7d772

SHA512
a914d2fefb6306d42611f262fc52fa284a498e780c44706430a79a508423289fe8c5afef7e92e13caef4f9c2398959680afc79273ff1d8b917c198306b3e4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQoS.exe

Filesize
5.8MB

MD5
5a8963b961de91c44cbad606e9bf4c29

SHA1
686aec58d7630b38f0c0fa9c94b84349f24e2a41

SHA256
6f49212de2532108aaf270dd8b41af492a71b12fef5bb0c7361a2892ce297a37

SHA512
e7d10e95d4e5d82cbc0a43531e48b4758d80f5075e349d762f89481b01d67bd878af88561dfaf01d0c9f50d21a22823ab1872ed50d7db751a0f817c191b50fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgsE.exe

Filesize
118KB

MD5
ca05faa9164efae4b85b4dc1906c156a

SHA1
819f9b72ad55fd31c258b94f5472f1cd853e16c7

SHA256
ecd0413e8ddf99f65e7481190e86f5464f54efdd18107b67ca2c4c3af805016d

SHA512
d7f7408624875a05d1eedf63f97c79aa17f653cf8821f01065b4b1fef0b22cface65091f919e4b14354f827828e22362cb6154febab0440b781686dc3d088e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkQg.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwsI.exe

Filesize
121KB

MD5
6b163d7a194c7bb015356795d794af44

SHA1
43a58f08f424a0036ee359b6661693de64a310cf

SHA256
705037eb3252c83eddd51c52d3b61838ee1819a17b6e59e66ecd6bd65d5db823

SHA512
3ec1f980890b04e4a50b7f427ad10bda0d291708fe95635c6a7656020ff76f4f12a532cc9f780c7b10c48e32d3eb7774f7f886aa4f6a247b7f7f8882ca7b4a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAUU.exe

Filesize
119KB

MD5
ca6dcf90322a11416304064aee499bb4

SHA1
020ef7d981530b8e45ab1ba5b13f0b21ad387bd9

SHA256
88a4c9b0362a5ed8cde00032f5db251d88c807ce82c3586017871d06e66b2136

SHA512
606272faae56819c7a231d7155b1af475b97817565c66cc66458a4e57c398d23259b6a3a38aa029639ade6f684a39e2ec9e2520236919979392178cd34994e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQQm.exe

Filesize
1.7MB

MD5
dbdc3ab56f1462f776db58bb51e43f2f

SHA1
af52da834f8962a5453e87fb421798e6ab7a34ac

SHA256
214f0fc106deed7027b4012376f193f303ed963126d649f2741722c42bbcb913

SHA512
46cbb9a91386a8410024cc7ccec9bef013f88864d4270c92ea21b2347035b343f49e198ce89ced942ccf04972f6b5a4505fd14d6bb1acb2b79c7b70f8e579006

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScES.exe

Filesize
292KB

MD5
effa30b3bdaa2f78afb93c69311e3725

SHA1
59476525f7c512477c45f8402ef47e95226a84ae

SHA256
cb56fcc6d3a52331b34202c0c5a3321321f32ee5bc0c1d584368c1615a488529

SHA512
ed43099f9b7bf7bfd989bb9da5eb8ae7e04a109e4a808a27acd34992770d880819e8767307166fa6f1330f94e6c18c38bd9d3df0bd433a714663d98482709433

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAIu.exe

Filesize
111KB

MD5
1974bf340c2d972c20b9267556b74873

SHA1
c0ccdcbe15653b7a0e1e555516faaed62a24030d

SHA256
d217a12ff08fa837fb5d3c693caa78e2f4186fd2713dabc9b765be8cd6d64a44

SHA512
4d26b66b0150075ea850014957f0b0f6c7ae04caa825f1f23b61bd4bc6c622297788f8b67505f073ca505a5cd2bb25a995474e24fdd963e83af362dc63a398ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYUY.exe

Filesize
801KB

MD5
87e3e3c28bbe0ed2524f784a43a5559c

SHA1
37d38c5b470941bca340e3138c2b468a692fc22b

SHA256
7038bb07337dc3fc23e4dbb2a82a91d568ce432c7edb43bd4c20ada691dcdac2

SHA512
e568c8c0dd8959cea8c6eea3622e95b0e52a7d92e2f3cf8f8023d8fabfc4fb7f364a1c01a6ab5b5dde0145e8361af6047a5886d267eecb61c1a5754a46516630

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwMU.exe

Filesize
554KB

MD5
feb7c8297d19d2a0745733176d5f8740

SHA1
db0a4329e2beaa4656d53f53472ef48c331588c0

SHA256
0006ea3ee374cde54bd63089443a9a9c675d082eb1b761b354e4432933f4a588

SHA512
0566ad0d7377023ab8d81e275515212952857fbd3fe29122023f7df7a720dbd30dbe1a40fe3a6884570f5f1b3e309fa50835da7fc371fdb7e6585990716963f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQsK.exe

Filesize
115KB

MD5
b2825a2d32ef2593ef1298dad8935f6f

SHA1
305a2ec86722ec0ce84b93f40587eb57bb5c061c

SHA256
0ef0e97fb9742c4ce81ababd736273628f385fd2a5ae30d89760b5778cd67b3b

SHA512
796abb4fa2f95330e8883417e7b75b235a23b37ec586bb8c6e98876f349b5ad0a117f54a72a3640b4eec38687cbc08da5d45e9d9096d524540d53a5602dd3aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUci.exe

Filesize
236KB

MD5
fa9e71a20e0d888a0937ece00f90929e

SHA1
fbe1c640017794f2f0f7b3f5d0b3278ad158e0ba

SHA256
77297889c29aaab433b5de49c16ef41f4ab5aad25e93ad47efa707cbdb73f6f0

SHA512
260a7046c223d3f133284838bb772ee46ff33c14328eea042bf4920f1cd309ae8f26c37d821c01d34d649f11465e91783f79e5a2a06c9ee90bc58a2627a5bfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUgC.exe

Filesize
113KB

MD5
41a0bcc25be36c8539eb2199bb40b2b8

SHA1
30acdd3a1dc86d82189bc9d10bef39924164666a

SHA256
12bbb860cf0502590ddd3dda3f90dbb8a2f6190d851b945b40383e3da43635f4

SHA512
ae46cee420edd63fc1598d36d9ed115810ed993068a52e6e7d2f54caf2eaa0fef8b011a821e50c3ae92c34c644470c2cda5e0454c6e593991d53b4e6f6aea42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WooK.exe

Filesize
110KB

MD5
287d531f97a2a8ed6c8eb311ac51a3f1

SHA1
eab6ecb177156b093afb2cc6a28493708f4f49b5

SHA256
8731c1cde8dab40206501389654826ecf267d6ba7c7c79c4cc30b652be8cd6b7

SHA512
30602d734f19748045bf25f1bf1fd39f65f3b841068d20cb18505a0a1fcc4e513d2cffa3471da88fc48dd62408629f7f43a0397304bc907ece1f114986bf7903

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwQG.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAoQ.exe

Filesize
700KB

MD5
79ba9eca3920f436fe0d0c57108f4d1d

SHA1
5a898230b5819d2df5559894172d285d037fc0a3

SHA256
8d92c90e3c41740114472bdbd051237cff3a55b60703fc75ff9ae4c7f61b6dbe

SHA512
3a1545e0b0e97cb4094dcd5a3d3e8a15bb8efa455109023d345351f5a9532bab2b759473a972e70af6592007bcb62e1c1cc2c02875019ed6483b3e8796336ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEws.exe

Filesize
719KB

MD5
cd7223b8e73877c092935c51df218709

SHA1
0899b26ef2aafb2dfc3a1341b9db3c5e88e19530

SHA256
58239abcdab8da8b39b572a7c489b1df6a6db8a88d26829454fa4a29e3bee884

SHA512
ce593a82ff3bfad636b8d4cf6d34a405e8e36e0eb5e918746e9b062124298241335c40203de72ff06b1b505129c0435933d5cc38c589a5ed7a6484289eb580a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUga.exe

Filesize
150KB

MD5
0c4aa053ab51cab2f991580a6df3555f

SHA1
87dda26c2da591d97ac3c9ba181bfa8a74ce0125

SHA256
b2e41ef847d5faea21e3e0776271b158369720ffd10ac82ca545c021000a2e3e

SHA512
1bf3f004babcbc6b2531a7edd99ac7b30210ded89ea66c6b83346b81b81dcb0144b859a487ad58dfe88bc001b7c961200c60a152e706e828043175b965f1f9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgAq.exe

Filesize
125KB

MD5
036e1fad137a0ed8637adff6c9ddcbc1

SHA1
6c1bbc2a85c012790d2b96f217a2bc33604fa5d4

SHA256
a42369fdfca11fb3978eab7a5bbaaaa881a14f3b80a699a4220db15ef67575eb

SHA512
7b59bdac1f042b7f659d05aeac967623f45a3b47f97880e8cb0b459b7572a95b2fe46972ce46866eb3cbc4d7f726257ede6714020ccd34d3c0f4f5d0bb7d4769

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkK.exe

Filesize
120KB

MD5
08d5227ca9d6157bec69302bb6a7659e

SHA1
cfff403cbbbf7edba066f176a87f4d2f30dd9bee

SHA256
7ec55ee623e5399cf3ecb79baf4d75fe922af760d28bd96f1474107e2c4c6233

SHA512
738c502b183aeb3c8c84677dec43f270cd54c24c646cdc75282200a38d752766f0b0e410d7d0b3d450e9e5c5e6f479a2e605c2b643c87b192b28b9f80f1529cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\akwY.exe

Filesize
113KB

MD5
dab708a1ccec3ea02faac90f64b02b31

SHA1
6adb3fb06227449d1b855bd60c58794fc91c7de9

SHA256
a970b26928397f1220581ce73487f65f3e5c23ec2f4e5896745c2f068eb16c70

SHA512
41854bafc194aa40466408f90a1b1544065133e4bbebeadf05259975f9f88661295aad3b467f7b4c7b0204ae75dc563106abc9dc532dba381dbc69ec1609970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\assy.exe

Filesize
114KB

MD5
22996888a6009ca20079dc54acbd5e60

SHA1
7f52ba251bc043c0e77d1afb6f48924383e351dd

SHA256
e5c33602a3e783f0654a7813a8e2a49f08f9d0635ad159488c454522a6bfc5ae

SHA512
34358c9a7daa4aad523cabbe940c3a0eb6b479857c4e484a946d35ce022b20a85732b9a8c0eec0326ba01fde15328ac701fb6f1c35432da893e6f637bcc10f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEkc.exe

Filesize
113KB

MD5
2517d78f173a8cbd2d680e82999c79af

SHA1
2046fc5cdf72e0d8692ec41b4f01a002caa8720b

SHA256
7e027f4d8f6ed318929013c5fcf3655b1794151e4922fbbf9915e2df54bab6ee

SHA512
f156bd6d8269ddf7fb86ff136de8cad74d17429a992cd5de45ceefac8f4d197ff660444e33cc1bea0e54479ab6178357d35d8130e6e3a3e9f995062a00d693e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYcC.exe

Filesize
111KB

MD5
097d223d9035431053d94c9c9a1888bb

SHA1
a6fb7e708dee5b786c5209909207294be2602e9e

SHA256
8fa03ee2384f7a256681a43bd18e755a985b918404b60f9fa67c24f09abd5578

SHA512
f022f19e92c41446f8285ed6e989e28502b5411e1f15f1dca6949a263ea9ebf0b2a08ff0dbb69bed0087594a1df898062e4814eb24ae247a4a4560f1766a9309

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgoe.exe

Filesize
136KB

MD5
6e3027d2cee7b2199cd0a9b973e287b5

SHA1
420b26595638b56a493d318c5bc5ef0c8a78352a

SHA256
abab49ed23d6711c480200941be9e28cdd6d035498b418a1c8dd8d1155ea6c9f

SHA512
eb75cf70c9516f3cf4cbbe2ee60b4201cb2437053e88119f6337d64356be4cd975e6c9d568c552400c29fbc967990ee0f5d2c9432fff19b7fa6ce90aa18efdd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooc.exe

Filesize
112KB

MD5
c65bc97673f0346ef808e36b5e9296ce

SHA1
9af8a6410897a69d8f691c171a43525524134e94

SHA256
2faa5839e8a519559f5b7edd51622ad38827a6b56c68f12eea58e47bab3442e9

SHA512
af06bf90fbe1ef0f00d4b54d1a86b50992686fc9fa3b07de5ffe5cf308e606ba381e24227b44aba9882d0ba76f9a1ddd8a4b207ca80b60c348511ddebaf98801

Download Submit
C:\Users\Admin\AppData\Local\Temp\cosE.exe

Filesize
350KB

MD5
513e1c16640197ddd17a79f2b7b60e06

SHA1
c3473da0d0ef9955c9297b9bb6caabaa0a718a7f

SHA256
5b5841d2d71cce07355deffc69185b72e609417eaa8b68dbf79cc0b5bb915436

SHA512
0b5c69a7e4614e7610d97fe504ffd8ac82bd7a9aa9486c558537ebc2139b31f9b3addb2098f1f623701b5beac2de3f964bc4e5dd02b3172d1d849cbeac4ca0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQA.exe

Filesize
719KB

MD5
6e8dddabeef90577df1c4aa5e3cfae18

SHA1
a184b6534e24072d6fd37c3caa102e3c9d69d6be

SHA256
ff805c15b3803d3c651029c589263ff83b4a1d5cd44c23e02b6616dd887f63fb

SHA512
926c9f745be710d500d4288ba134f20d88b0fd19347093c3bc648c6fb09d43210243a969296ca2912449190b4c99c2ace435cc5b7f637b9695ee687a6c33d2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMoQ.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUMM.exe

Filesize
111KB

MD5
ed213dadea4a68868ffb4304faefd011

SHA1
72b8e82f29162d43933a680ae71ee8e23f2ec219

SHA256
bae38e9c3169ab9c57af0f314f8a4d9114c3e0694916d4ab7877fb3b2ce3d757

SHA512
5b1866f21b22e3dc5086cbbf4df28cf886455d7e8b07812e22cedcf9535afe34163111eafb3c114acef34c984d57005753af7f13128f55dcf2c4a1f99583e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogU.exe

Filesize
112KB

MD5
f4b7700ce3d4fed3812ebb93f19815ab

SHA1
87674bbd597d40470cdee2a785147a44e966d6e9

SHA256
722358fc4f24c40195092585968a106dc1a349b024a7a73a4087b23db4de82cd

SHA512
519fc9dfeb5c5339216c9f344cfb471cf8f5f4e47ef8c447d6a6583ea7cf68b39e9faacdb23e1afb480c3d673fdbe34e27cbe337202f1b76fe1f904c5a43b053

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQoq.exe

Filesize
112KB

MD5
8dba8ba8edacff2977f862a835eb5137

SHA1
f961359e9bee4d5dc304368d3cee2e45d5a19524

SHA256
3eefe08f5a6bb4ebc01af02f6f91e7284001c1982899c4a5b34912294f02e2f1

SHA512
665677fc5cda876e9f888fd54ec2762da120618157114be93e4d352477c0a70d209a9dbc1a608e2aa5f774bb8ad628a9daab69e69bde9d675fa4e7c5a4116c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUEO.exe

Filesize
112KB

MD5
0ffa961dd30360ecffbd74ebe9cc816a

SHA1
145f2bc2b5177924c1ec3f481402d2f32fab4cd5

SHA256
c0c4dd4a58fdd1840806367de28cfe2106c2b99bd76e9093a300dc21e2c81691

SHA512
e98a770b79f75652d504ece2107158dc719db6beab59182ecc3319074a3b75235664a12b1644a1e45c31f5c13605c109000ffc9ee7ffced5906632ec44d26e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUIa.exe

Filesize
120KB

MD5
0d4cd115c9cd0bab0dedda07d6e010d3

SHA1
ba3075052d93a72b10371d040ec200e882700b1e

SHA256
2877d085986f2db6eaf0dbc06b42b708938c449036720c585e7d0b62634900a2

SHA512
6825d4096c939dbd5d21f510ddce0db393f0279f3cd32086b23560fd9a74278e27c2326e68b217cf62904f079c94f7e1a11805dc121d2ca85e8aa070e75fa8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYYU.exe

Filesize
110KB

MD5
c12f8038e3ad7a79a875580b9d6636e0

SHA1
a44be611429cddc05f98bd3d781d5baba47e61ff

SHA256
68fbd575db0b164fa14daf30d19f2fbed9ff44b8b271bc447663cb0a82085a6d

SHA512
e1689c8ec2d7cf3997d1e5c49d29528c09bd3521ae39d78fe601371d31b97d4f70a094da76da47b40ccc7de97b123e6504794f942533322510516f4fcc915c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQUS.exe

Filesize
118KB

MD5
eac6dcc638e926c39105c8683dff7427

SHA1
64356d4a25ffe3bde0f8029704e9e5433ee898c5

SHA256
60fb568c5d80918331fd59299fae8d5e13c4853353c8046cedc54b95b7d85fa9

SHA512
aad13827f63897e16f34973e29d5d992bc0fb025abe6ee1bb3b10b2385e87de653403b7d551180141157c7cd6734e784af8c60d41c0e46655810784c01ff802a

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAo.exe

Filesize
566KB

MD5
d3cd2c684471087031dc0ec315e7e819

SHA1
b0d6ae65506a05992ddb0ecd6a62d174978692cf

SHA256
c34b221094396ed750ee949d05f280a352092f2fc62733f61e873186968ed26c

SHA512
cbf23961dca87060ebbaa33048bc899679bde03336d9e594befddf3864ab52b806a73514fc362e8326cda41cb98412a6c056684b8a20d1721c5dc8eaf56e18df

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIck.exe

Filesize
111KB

MD5
2091dfff590fcc50ccbeafa38ba73338

SHA1
7bc4ad0dae97dc25518b831713b0d9e3889102e6

SHA256
6f0b9b0817f48a8881fd8c3c12655555ec589e5a4446e014d00fb2199ab8acf6

SHA512
303b2f552c6d7a202a8ff4cd439d9fd11a232c279599180fcdd65ea4945931cd41588403469753ae5fec3b2f3a7be0e23cde39268f34b89866fcc12d3375ad9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccS.exe

Filesize
114KB

MD5
c68abb2646f649db65840301ee69ede4

SHA1
28be6247658f2f13a07c7e6d538853ecafb2162e

SHA256
ef0d3b653d36183f30b24e23c16650528c667ab833d201b592dfa19f99751b47

SHA512
7baa9284da013f804fba518753edcaf3d9b506f758c41aecc7398508c2ca49e4d13ae66af292e99e7b719b0a1b6ea8e5a9b1667c3fbf1ae0bf5d7d6817e74192

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksYC.exe

Filesize
297KB

MD5
9a805f708a96e042a7193737db7a893f

SHA1
80f8bc44f021f861e393313263cf5549a63ba2d7

SHA256
673183ff98d2bb82f73860efeb0bde2f1b8af4f40a8f1b1d9eb9f7b90d7c49ef

SHA512
e17ed72c2d36bb8becf5c2106f2e2f5bbaafca154a0b6d3c3b31c5778ea5a7872ec4fdd72a327ba3dd03f7cb6d96afcf16729526b8567f4bbdc15ffc1308a712

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAIa.exe

Filesize
111KB

MD5
e263b5d760a4b85f57c653bd76faaf1b

SHA1
969bf4056b6c99ac26679c5f02232f9a13d91061

SHA256
75af2854daa7adab2e90228374c0be2c1a54136cfa361268f63edf2675c18c67

SHA512
7fe9e85b0b4246cf3aa6c4555fec76692b8844ee799f294d70806eea4ed59f0570f6f3e669223189d6c0de52d195128dfff5ba23446d46697354fcdb80a7dfbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEgc.exe

Filesize
117KB

MD5
2ab9ae99296f99fb30895b275c5d3e0b

SHA1
b965568140e3cdd0f31ae80ddad11d93fd4796d6

SHA256
63e77053f26c4b96c95b9544ca082bc2a776752b1d335fb8d4280c45a93d8437

SHA512
5ff679b67478fdfcadf8815c007d4953393cf71e3420db568cba43455bd08f292c764c94977673cbbf45aaa96bee24f97190c2a685718da5131912617e6b9367

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEsS.exe

Filesize
139KB

MD5
41a2e44aa9ad0fb016996c33f6e635e9

SHA1
b5c55f417c912abc24fed2907ef1c354d38a1203

SHA256
d0f99c2b4801770c08cac75e4a2051d2775be8438fead4d3429b68d69b2d96d8

SHA512
f95e86336688931eafcae3c656cc4e12fdf50b08379b87401174bcdd3b169c53c9d5062891b52da2ca286e4250e1bce33b6665cfc0625ad5deeba034c8f2cebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIIg.exe

Filesize
816KB

MD5
b93e6dc7f8104ec75e17008c7f776d1f

SHA1
d7b6a2a507f1ae11c7304b19fac2c7684a8305f9

SHA256
334c09c675196031336f11cd2017680f7ef5cba6bed666ceaa044f5cb38ecbd0

SHA512
cb9a56d49163055d2d6d85c291a713c0d0dd0df4d8b36e2b9a10e5f148f19737c701e8834e56d8b2c764021077f767f70d53fe9fea9a632e8dccab7274df5748

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUoO.exe

Filesize
116KB

MD5
fbd92e55397e98d419db3d7f19b64a40

SHA1
72549e5b5f2bd3951dfef44e342e5c0aa2126ca5

SHA256
cbd472bce63333d859c885de9b705503c0ec23f7bed1b68cdd4c3d8633b73484

SHA512
08c6b91d04fb210930801263b9ef596ff7b2854ad7b5a4438ed1fd7e95adf0fa077837ba8db113cefecc180f78e6cffe122c04203b46bc412f2c639a6a5ee5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mckI.exe

Filesize
236KB

MD5
da8ca51a4a68226931a76bfdce484eef

SHA1
03c54c17df94e1906939563e71ffba2589ca18f9

SHA256
17930dfdf19a49cebf5008f45fe1dfa2356f2a58415ca25bc703beba0ccea45d

SHA512
a78187c53238176ed5d7c48bd75d73b49ddaa2ae3196ac5f537563dfe87a9b6f49fe91db33e14ad84e9188fc15cdcd87ae864d762a2f9968451d532fc140681f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwwS.exe

Filesize
236KB

MD5
758ab618646493e655b4c3214082935a

SHA1
9e5858191bfe22c460932c80a0ef343e6f157535

SHA256
c35670e021cc205a3013981d5994db45e6cc52d6490408ca44e317d1e3dfb9cf

SHA512
23822f16cb39bfcb0ba34375c06c464ef3bb081724010a914a9b2e2db4031f3b6d33bc6558681b4daaa993a4f6e8a7ac6b1ed8d7f91acb5a59968eeb647222ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEcc.exe

Filesize
111KB

MD5
90e392390c58e3111a8b719c297a02ba

SHA1
fb527be59aa94f7f0ae23a3d018560d8ce43b7b3

SHA256
9648823ff209efc20978d0a1f9773b68d7b81e7d08a5e977a5d2f8407cfaa727

SHA512
5744b8d123385ebbed48a3c8feed9c8e2e3303b1e0bf81186403b6a6e889e82d06e1dad8c7aa211f7bf9f4fb1adb67018c567bcc57454780525de601c8ab8d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIUm.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgI.exe

Filesize
111KB

MD5
a62eeba70bd80a6205d685666365d95c

SHA1
3cd868371885f058f141924b1d8d3177e5895ad8

SHA256
0986688b3a0d428acfeb44e2d81697138a5dbcb5f168d70037b239f7a8c4d85c

SHA512
fa9b1a489a1623fe072a1cadb501722f405c306b61bac053dd71a570649ee7e2b014cfe77115a8b2b1121b072b778a958bc24cc9cf95fb532b64e531c512fa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocsE.exe

Filesize
111KB

MD5
f0568607d56ab24af2c29b6ebb922e00

SHA1
54deea8634de2bc89902b49f48c582019826a638

SHA256
7bc227dcb86cb453bb75dded22ca8e8c9ead462e3db9d92ed986a51a5cc06bb5

SHA512
a65dd64f8cd3954efe11d16a10ae9a00fc23c68946ed1f437e7a65acae9a91702ad5b8781d1cbd186cb436d4ae5bf860c5b0a7b8feddc3f875a50304d385c601

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogoY.exe

Filesize
112KB

MD5
bbcba3b27ace6da6edf9734e81807d93

SHA1
9b81854ca866ee83abceae23a4528b8d177709fe

SHA256
ec72e210bcd96f1b3d39c75b480aa62e987816642413537dfc8309108aac8404

SHA512
a8a7fc49834b4df5502c67ea43d2e415f9e7582064f84194f2ae60646f39ddd8a25361713898d983cdc8b0b651dae67266ab96ea9a9ad68513077d1f98622612

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAAq.exe

Filesize
138KB

MD5
e0c96fe13843ed9bd5409d83e183d1ae

SHA1
17524d5c1a2e7c6143dbbf48e079afee8c04dac0

SHA256
2746015cc3663481a98d13b808479c97754aaa883c94b12d89cded8ffec55acc

SHA512
01f78d893fedc6b965c98c7dff91a1531ea356cc114b0375d23605bb55e1265b71a04430c0a26246d60e9520c6fea5b1d62095f5a7b98f776e8051e1920b8c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcs.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYok.exe

Filesize
115KB

MD5
2b42c66064de60a27cf86852ed2b0f0f

SHA1
356c42de1dfb9106568eaf8033e62a07ee217103

SHA256
6162ff78a72d60a770fda08b80c62b372646d0a183767a691e4abbf342ce619f

SHA512
8cae4d3ef8007b67a3cd6571a481d7a548666241398cd2afc895eba457ae40f6e8b4f844c7b964a7fc76ef8b6b937ff079d3d016e67c69d448d8aa52d45a90a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIM.exe

Filesize
119KB

MD5
41107c54abc9d1cef61d5d0f71917e0c

SHA1
35709200726129cfc7b4e77c7f145ae08c2f9271

SHA256
d1f320fd39144d4b9475fbdf00ca92cb292083bf3e952cef703b47214f060d47

SHA512
19e3609bea008a333a592b22e068a594b5b1c0d2c7e44da9be2a18bbfedefb8154fdb400054ab3815521a68617d984fb79ab59cd55275ed6e983609636e9aa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwgI.exe

Filesize
121KB

MD5
becf40b560916285ab8c5dc610c19db2

SHA1
ed9cc67eb24ee5eb19fb6c34a038e6f11f2b1318

SHA256
501c18903c1a1ec47094c47df43d5eae0695d9cc262892f92587094343151b41

SHA512
3340c3bb94c67c4ee90adbba235cc08fe0fbb004f47c5b33551e6e2257e85be3cfc3514c846557aedba030aeacadb579abff685cd1539c7b6833d54073b03f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEIc.exe

Filesize
110KB

MD5
88c3d1ca1a7397635efc79db6b1862a4

SHA1
abca83f5eabb81c50f7ba109da428bdd30f0a2c7

SHA256
3f39f5b37d13f3e7d957a9a1bf8a95d0e38625eab4973b6e69eaf460de1b5735

SHA512
b53df8680bf8967861882798841b3dfe30ffb4b6b7e2c72aab9a670f680aa66fbd66ce1e89e360b23333c7540cf9e31e2fcf8c938ffe4d4fdd26d66c8f359658

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMMs.exe

Filesize
111KB

MD5
317cf99f8722523bcf819531db9dfd7a

SHA1
76c8f2271a09c5d31e1f35fd66aa7bc3594cb8ef

SHA256
f70fbb9d31fdb096932d36630b82cec12013b13bc3b65759410fec9baae15baa

SHA512
56f67999d13f849f9894dd11b8f8348884bd0f0ebe669ba1d3f2e4c9c86d4edb77cca4d69f23da1c40dd2bfdaebb11c0557f62ab195d767db31f0128b6d558f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEu.exe

Filesize
238KB

MD5
46e2bda6c0a44fbbf73da017dcd788e8

SHA1
ed252ca47fac6d1cad36f2dd263d46fda3a1c47f

SHA256
d681f6ac39f5348f9916ceb31dffb48f05b2a52be8aab36bdcb3fd24c61299e2

SHA512
34612465b230f1e3b6a8590ee9dd2b9f1b4df9f8b23ff6468e02eff92c0477565ce5de1a2798ac3f67424938695986d6c0b736523783b03cceec5ca1c160fe7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEMK.exe

Filesize
111KB

MD5
9662cd3fbe79d92c25aa4c3f3372d468

SHA1
66dfcec27aeb458fff718f8e906299071ceaa16f

SHA256
2a648f6e1bc88f0400b711610c4393016ca89f5362056abdfee52bd70b04a945

SHA512
564ee3de3c4853db54e037553680e009d0abe4bb0bd4090db6da399878152856873449862848951ca27f543165b6783a1c64ad95275b27e34dedd7dcbb62dab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYg.exe

Filesize
110KB

MD5
d27851515f1b7d52a2f14ef677cbbad8

SHA1
0e70b583e00de5b16aca321b1ab3b4003c3c0971

SHA256
7d13fc9142982782a7205b4c481dbf31d5ff4dd522baf85c050edfa14ad3fc32

SHA512
5e9fb51a58284ddef0f021aeaa14c724a2f3e47ad3a25f15383b8d9fed0f7f66f0f62287ee262da0844c074113a926fd251c0a31443ec84f70733f71a1d278f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQom.exe

Filesize
565KB

MD5
1b069dceabd9ba00eee42bc138a629b5

SHA1
b9c41749e5d84dc8993a864ebbd84b3c3196c3d9

SHA256
6b92e9ef7abeb363e09a363d47928d1d8c33d051ca9a5259aaa2a2bfda6b43e6

SHA512
2e7300ad30e0a65774656c3a57630817bd80708178c008e86ca869aa5470de89a0d53d620a17b2d47e30491ceb68e2e68d56108047d35edca738f04eb654c91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQsA.exe

Filesize
642KB

MD5
67c4dee0a786df1390282cf5f1a6f700

SHA1
a1e61bd4dd2aee6a6faba5cd603afbe31edb5511

SHA256
b4b5f6b48142c20790fbfc86f706b0527f3a1965f00da4873be6ff95394749f3

SHA512
88cd003f6bc27b6a2d78e31d12ed38f5492c6877431640d93b4d5db97ec70aba9ce8bb5161a5c0a5e21524e8d989f4844821b1639880c8c00157a3dc3fbb540f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUo.exe

Filesize
564KB

MD5
57f5a11a79b4c726a93b54a3a1ee4737

SHA1
18f6698a740284227aeec37f14d57ed95cc5f68c

SHA256
34aec4659e7807e4cd524671efe47ea0ee1a0614821ba1582195d72d7dc476a2

SHA512
37e014d3a7baffb5c90a577a29bde6175ab3d461d5039185fb0e463e309bf8ee6fa4d3a0fc52971bfb5489b9b84a97e15f52798c064009628742787af5258384

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUYM.exe

Filesize
112KB

MD5
e6c19061239065c19cfa3827443d2782

SHA1
327a70477d78a9422d2da35de23ea79418a31993

SHA256
ee2a95c6adcdd87203a7bf89db147aad8287de7837c018cd644f0c5b2ee2c3be

SHA512
347a97b983ac16bf560c047f513b9fe4b2570b716eae17eef1a081cb4d738c595fc2422221a746f89f0b43c209f98ef27a9d0c108a7f389be3e97b4f4189f84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYEooAYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMIE.exe

Filesize
121KB

MD5
7a81efb16cd471b2261f0b9fcd350a74

SHA1
e17b9f399ba4d0bce28222e68203cd7e8696aaa7

SHA256
65044b1a62969b805b9fb8dbb3902d936fe0c13380c0b41efdc6edb0950ce5e6

SHA512
22958b621ed07ac1187fdc838abafc5f9b012db64b3f7f5b2a963f8770ff9296878d22954dfdd1768e1f123aa7523ad5e12d6b7257e1e4230de4c2f354138fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQkw.exe

Filesize
110KB

MD5
4d7e8c258a88b9024e0abed262cb592f

SHA1
79849207ee7b7ddd51512d6fe637164cd9727f88

SHA256
36fb5460e8babc0ad0044a3478b6e2dcb391149b604cb029733c15043aa32550

SHA512
8b90c7c3a044bb0ac64d2167eb19db39c24d2f3133fe6f8b8024977b3e5619784c8677db136db3ca557897c864008ebe5f306a40eb971334d25863d23e8d3e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwIQ.exe

Filesize
112KB

MD5
2edb5eb60ccd706d37d3afba91f162cc

SHA1
b46bd3a854f591a784b8215e933281f3b56a8e40

SHA256
333384f1cc86349e92902618d2df38120c8f8d3b3c0be9b218747e96784c7151

SHA512
4a7c6ae52a9ff0493da58e5d7cc8b9a1afb30cd2db095bbbaa2fd85eaabe5d26dcb85a1109b39a3733373d825762f0cedf13c70cdeafb20579435178f29d904f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQYu.exe

Filesize
720KB

MD5
3188223b2afb54bd3fe71fadcf6a305c

SHA1
a48c76e6713df18de8496983ab3cc049efd0ac7d

SHA256
ea6b1e86c6bb7a8020d6ca4c8057d789e08b02c904a8827419d83c1ac1f7f27c

SHA512
14d205fb3fddbc2dd0d15c3a8408f1b905288ac62235b259e9163f09d6c4a3ff5bba26efb41dc7368f0d9758030881184c3113ca8123f91f8783b16199c0ac22

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUEI.exe

Filesize
119KB

MD5
99755b19e8efd1f37e98074e1d5ddd79

SHA1
42bb87eb220e0470092be5af37b0082bf14d5959

SHA256
6d00568eaac4e37efe64896fa3706e9b544c0a7a7f6060abd0e3dd588feca5fb

SHA512
9a3899a8ba9c2c0f15b5984668375f230989ea607fafab817a76108f0d439bf87e9786bc1cad1e3a44f0cbccc32a2feb599a4d544eb149e4124237f18069399f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUQQ.exe

Filesize
110KB

MD5
4e80979811ecff48f63cc5d94967ef52

SHA1
2dd5aaf70b59dfdee51b3193c434d23dc1114f25

SHA256
9c40d3d7314c2c23d37939c20c841feea3e6f22751ba141408cbeb2f92036fe5

SHA512
e6a4a05e6721bb3c580b2886dcf4cdce041d793b70d52e122cae051d58c837c2f0799c03f30d48f3a8a11a59bebc08f3342f4a9d4271673d2c575b8693263f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUso.exe

Filesize
557KB

MD5
ddd888f91038b37a7ad80a63f299d556

SHA1
4917e331a226290dd38a92cd1d889468ced0a71d

SHA256
e0442da9af6c0e8d3c60481a8ba76e8a79f202f8e404a7e1ef1c730621b70809

SHA512
04ea3d0ab22ba1c4750f97f00930ce746c5c99d183d5ddd364f8596bb16607a63f34c39a5701076add3f8f3a4a5fa59d0b538f659bbdbd9fdc3a35f2b6507d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygYC.exe

Filesize
892KB

MD5
feb56606325066e65e5a4709281197ee

SHA1
7c4db357dfc45bbab567cb4677c1e046fb913c52

SHA256
83fd596e7586c5dd62cbb4ce22c7a01725e0371668714221583395b970afa863

SHA512
65127a02c06d2759cbabca959e1eec3a2e7b172b866d109eb49ca925278310901e55fedb05699ff3cc53e839fa73fad6aa44b5eee74a2d0ee77bd2d08616786e

Download Submit
memory/116-439-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/116-431-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/344-475-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/344-462-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/448-352-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/448-342-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/716-501-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/716-511-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/840-99-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/840-115-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/968-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/968-32-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1036-502-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1036-489-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1192-151-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1192-136-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1372-245-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1412-466-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-516-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1592-440-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1592-449-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1608-471-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1608-484-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1700-207-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1700-222-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1748-526-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1920-507-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1920-520-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-430-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-418-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-171-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-187-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2044-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2216-265-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2216-275-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2272-343-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2384-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2384-41-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2652-445-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2652-387-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2652-457-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2656-334-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2712-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2712-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2812-310-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2812-297-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2908-349-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2908-360-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2960-253-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2960-266-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3040-162-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3040-147-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3416-91-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3416-369-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3416-378-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3416-76-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3488-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3544-44-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3544-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3712-370-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3712-361-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3980-396-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3980-383-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4000-288-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4000-301-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4000-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4000-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4112-112-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4112-127-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4348-139-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4348-124-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4356-211-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4356-195-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4392-413-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4416-326-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4468-233-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4508-199-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4508-183-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4524-292-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4572-244-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4572-257-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4588-318-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4588-306-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4660-480-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4660-493-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4796-103-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4844-64-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4844-80-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4892-283-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4892-271-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4896-392-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4896-404-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4944-163-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4944-175-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4988-409-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4988-422-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download