62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
Size

208KB
MD5

67f8bc1f68d349d18faa2188d3cb4b07
SHA1

1a72055a7e2e602b11f7ed53aaaa7231240c89ee
SHA256

62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
SHA512

ae6a720a7779af57ba3c0fb1b09f6d47a6f9dc8b64390846362627c5c304eccd4956e5d6ee5ca27d85522359c1d37fcc76227e8fb469f2de80802329f9cc8c36
SSDEEP

3072:we+nqymUiOlDoZImEKNsmN1+qONNbbKQkvuasNT+wadrttL9:8qy3iOlDoZxHvJMNfAvuh+wad7L9

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	MuAEsgUQ.exe

Executes dropped EXE 2 IoCs

pid	Process
4740	MuAEsgUQ.exe
2168	vWQUwgIw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuAEsgUQ.exe = "C:\\Users\\Admin\\xEUAQkUA\\MuAEsgUQ.exe"	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vWQUwgIw.exe = "C:\\ProgramData\\GUUUIYoo\\vWQUwgIw.exe"	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuAEsgUQ.exe = "C:\\Users\\Admin\\xEUAQkUA\\MuAEsgUQ.exe"	MuAEsgUQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vWQUwgIw.exe = "C:\\ProgramData\\GUUUIYoo\\vWQUwgIw.exe"	vWQUwgIw.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	MuAEsgUQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	MuAEsgUQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
748	Process not Found
4820	reg.exe
3700	reg.exe
3336	reg.exe
4460	reg.exe
4560	reg.exe
720	reg.exe
4580	reg.exe
3784	reg.exe
2892	reg.exe
1068	reg.exe
4364	reg.exe
3276	Process not Found
4948	reg.exe
2220	reg.exe
3024	Process not Found
2252	reg.exe
1612	reg.exe
4724	reg.exe
3884	reg.exe
1068	reg.exe
2248	reg.exe
2632	Process not Found
4084	Process not Found
1404	reg.exe
3276	Process not Found
2012	reg.exe
3492	reg.exe
3952	reg.exe
4848	reg.exe
1388	Process not Found
4284	reg.exe
1180	reg.exe
3868	reg.exe
1268	reg.exe
2580	reg.exe
4616	reg.exe
1064	reg.exe
2696	reg.exe
3952	reg.exe
3828	reg.exe
4816	Process not Found
3932	reg.exe
3004	reg.exe
2712	reg.exe
1996	reg.exe
2760	reg.exe
4748	reg.exe
2268	reg.exe
4012	Process not Found
3724	reg.exe
2768	reg.exe
3868	reg.exe
2408	reg.exe
1244	Process not Found
3444	reg.exe
2464	reg.exe
3828	reg.exe
3924	Process not Found
4616	reg.exe
2012	reg.exe
4616	reg.exe
3592	reg.exe
2768	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1612	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1612	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1612	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1612	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1140	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1140	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1140	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1140	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2348	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2348	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2348	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2348	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2188	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2188	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2188	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2188	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
468	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
468	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
468	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
468	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
3592	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
3592	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
3592	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
3592	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
748	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
748	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
748	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
748	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1892	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1892	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1892	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
1892	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2664	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2664	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2664	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
2664	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4604	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4604	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4604	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4604	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4436	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4436	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4436	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4436	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4956	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4956	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4956	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4956	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4888	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4888	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4888	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
4888	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4740	MuAEsgUQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe
4740	MuAEsgUQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4740	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	90
PID 2760 wrote to memory of 4740	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	90
PID 2760 wrote to memory of 4740	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	90
PID 2760 wrote to memory of 2168	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	91
PID 2760 wrote to memory of 2168	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	91
PID 2760 wrote to memory of 2168	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	91
PID 2760 wrote to memory of 3240	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	92
PID 2760 wrote to memory of 3240	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	92
PID 2760 wrote to memory of 3240	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	92
PID 2760 wrote to memory of 4460	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	95
PID 2760 wrote to memory of 4460	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	95
PID 2760 wrote to memory of 4460	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	95
PID 3240 wrote to memory of 640	3240	cmd.exe	96
PID 3240 wrote to memory of 640	3240	cmd.exe	96
PID 3240 wrote to memory of 640	3240	cmd.exe	96
PID 2760 wrote to memory of 636	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	97
PID 2760 wrote to memory of 636	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	97
PID 2760 wrote to memory of 636	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	97
PID 2760 wrote to memory of 412	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	98
PID 2760 wrote to memory of 412	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	98
PID 2760 wrote to memory of 412	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	98
PID 2760 wrote to memory of 2384	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	99
PID 2760 wrote to memory of 2384	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	99
PID 2760 wrote to memory of 2384	2760	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	99
PID 2384 wrote to memory of 4900	2384	cmd.exe	104
PID 2384 wrote to memory of 4900	2384	cmd.exe	104
PID 2384 wrote to memory of 4900	2384	cmd.exe	104
PID 640 wrote to memory of 3636	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	105
PID 640 wrote to memory of 3636	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	105
PID 640 wrote to memory of 3636	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	105
PID 3636 wrote to memory of 1384	3636	cmd.exe	107
PID 3636 wrote to memory of 1384	3636	cmd.exe	107
PID 3636 wrote to memory of 1384	3636	cmd.exe	107
PID 640 wrote to memory of 720	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	108
PID 640 wrote to memory of 720	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	108
PID 640 wrote to memory of 720	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	108
PID 640 wrote to memory of 4284	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	109
PID 640 wrote to memory of 4284	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	109
PID 640 wrote to memory of 4284	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	109
PID 640 wrote to memory of 1236	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	110
PID 640 wrote to memory of 1236	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	110
PID 640 wrote to memory of 1236	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	110
PID 640 wrote to memory of 4280	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	111
PID 640 wrote to memory of 4280	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	111
PID 640 wrote to memory of 4280	640	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	111
PID 4280 wrote to memory of 1624	4280	cmd.exe	116
PID 4280 wrote to memory of 1624	4280	cmd.exe	116
PID 4280 wrote to memory of 1624	4280	cmd.exe	116
PID 1384 wrote to memory of 4432	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	118
PID 1384 wrote to memory of 4432	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	118
PID 1384 wrote to memory of 4432	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	118
PID 4432 wrote to memory of 1612	4432	cmd.exe	120
PID 4432 wrote to memory of 1612	4432	cmd.exe	120
PID 4432 wrote to memory of 1612	4432	cmd.exe	120
PID 1384 wrote to memory of 3760	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	121
PID 1384 wrote to memory of 3760	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	121
PID 1384 wrote to memory of 3760	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	121
PID 1384 wrote to memory of 5000	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	122
PID 1384 wrote to memory of 5000	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	122
PID 1384 wrote to memory of 5000	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	122
PID 1384 wrote to memory of 3620	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	123
PID 1384 wrote to memory of 3620	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	123
PID 1384 wrote to memory of 3620	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	123
PID 1384 wrote to memory of 2824	1384	62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe	124

C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
"C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\xEUAQkUA\MuAEsgUQ.exe
  "C:\Users\Admin\xEUAQkUA\MuAEsgUQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4740
- C:\ProgramData\GUUUIYoo\vWQUwgIw.exe
  "C:\ProgramData\GUUUIYoo\vWQUwgIw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
    C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        8⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        10⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        12⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        14⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        16⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        18⤵
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        20⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        22⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        24⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        26⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        28⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        30⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        32⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        33⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        34⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        35⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        36⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        37⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        38⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        39⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        40⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        41⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        42⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        43⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        44⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        45⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        46⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        47⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        48⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        49⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        50⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        51⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        52⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        53⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        54⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        55⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        56⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        57⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        58⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        59⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        60⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        61⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        62⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        63⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        64⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        65⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        66⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        67⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        68⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        69⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        70⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        71⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        72⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        73⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        74⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        75⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        76⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        77⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        78⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        79⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        80⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        81⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        82⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        83⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        84⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        85⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        86⤵
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        87⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        88⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        89⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        90⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        91⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        92⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        93⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        94⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        95⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        96⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        97⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        98⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        99⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        100⤵
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        101⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        102⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        103⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        104⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        105⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        106⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        107⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        108⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        109⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        110⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        111⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        112⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        113⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        114⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        115⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        116⤵
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        117⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        118⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        119⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        120⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        121⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        122⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        123⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        124⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        125⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        126⤵
        
        PID:2844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        127⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        128⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        129⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        130⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        131⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        132⤵
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        133⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        134⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        135⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        136⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        137⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        138⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        139⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        140⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        141⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        142⤵
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        143⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        144⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        145⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        146⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        147⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        148⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        149⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        150⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        151⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        152⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        153⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        154⤵
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        155⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        156⤵
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        157⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        158⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        159⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        160⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        161⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        162⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        163⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        164⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        165⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        166⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        167⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        168⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        169⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        170⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        171⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        172⤵
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        173⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        174⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        175⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        176⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        177⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        178⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        179⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        180⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        181⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        182⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        183⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        184⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        185⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        186⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        187⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        188⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        189⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        190⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        191⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        192⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        193⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        194⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        195⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        196⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        197⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        198⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        199⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        200⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        201⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        202⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        203⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        204⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        205⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        206⤵
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        207⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        208⤵
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        209⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        210⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        211⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        212⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        213⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        214⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        215⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        216⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        217⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        218⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        219⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        220⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        221⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        222⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        223⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        224⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        225⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        226⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        227⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        228⤵
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        229⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        230⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        231⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        232⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        233⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        234⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        235⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        236⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        237⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        238⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        239⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        240⤵
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        241⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        242⤵
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        243⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        244⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        245⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        246⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        247⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        248⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        249⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        250⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        251⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff"
        252⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff
        253⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCYEwMcY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        252⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKMAkEoc.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        250⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyQMcUMY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        248⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIEIwMoc.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        246⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        Modifies registry key
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMgEYAEY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        244⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCIQwQcw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        242⤵
        
        PID:3460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:2996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQEMksgI.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        240⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baogQQcU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        238⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmowsUYc.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        236⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaggQIAA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        234⤵
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMoMQAoE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        232⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyYUgkAY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        230⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dooUcUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        228⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsUIccII.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        226⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgMYEMIE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        224⤵
        
        PID:708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USEMwoww.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        222⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwMAQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        220⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsMoAMok.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        218⤵
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSgEgkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        216⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqQEQsko.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        214⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgEcYgAU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        212⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIUoAEok.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        210⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoMgsEMs.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        208⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tesEYsAE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        206⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsMMYssg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        204⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaQsEkAk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        202⤵
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCMAUYQA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        200⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywwkcAEI.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        198⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKwskEQk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        196⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UicAQAUA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        194⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGQoYUoA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        192⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWQgAMoM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        190⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWMYwEQM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        188⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQwYggQI.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        186⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWocIcYM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        184⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCMsAIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        182⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMMkoMYw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        180⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWgUosUM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        178⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcskcoUw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        176⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUMoAcAc.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        174⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYAkwsso.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        172⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYEIwoMA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        170⤵
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMwIkIAg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        168⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reYoUMYE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        166⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LswwMEYg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        164⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngokEEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        162⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYkcwQAk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        160⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKQscgsE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        158⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMwEMwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        156⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yckMIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        154⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEgMQMUU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        152⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiIosUMM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        150⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYkswMMc.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        148⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwccUUsE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        146⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CckEMcEo.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        144⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoIwgocg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        142⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQggIEUI.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        140⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMIgccIU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        138⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEYMwAIM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        136⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkYQkEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        134⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOkMAogs.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        132⤵
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOYowAcY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        130⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGUcYccQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        128⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiscQIwI.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        126⤵
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lskQEoAM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        124⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGQUAIIk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        122⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMAMQQkU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        120⤵
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOEQAgUw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        118⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gycoAoQk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        116⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKMIoUEg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        114⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmUEwgEM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        112⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUIEQUMU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        110⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWUIUYIk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        108⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xysYIwgA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        106⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKgQcoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        104⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOAEQkoo.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        102⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMYooUcE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        100⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWsssYIU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        98⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWoYkwso.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        96⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYcEowcc.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        94⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeoEEMUA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        92⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmgQYUcY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        90⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwYoIgAs.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        88⤵
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQYQwUsE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        86⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQMwwUcw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        84⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWMIQAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        82⤵
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwAoAUsA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        80⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYUEQgkU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        78⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCccUkMk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        76⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YucUYMcU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        74⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAEgAEUI.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        72⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koQsQQcM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        70⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkccMYIo.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        68⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boIQsQoE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        66⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWwAgAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        64⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICwIgYwA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        62⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YckIkkEU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        60⤵
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gisIEcUk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        58⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSUEwock.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        56⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEEsgwcc.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        54⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIQwoUo.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        52⤵
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYAMggIg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        50⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUAMoYEA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        48⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCAYYMEA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        46⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKwYEsII.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        44⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiQYIYkY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        42⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMscEEUM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        40⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiQMUMco.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        38⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LecwgEUo.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        36⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyMUwkgA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        34⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGcEQIUk.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        32⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smAQsYUM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        30⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMwsMAw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        28⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUUsYwUE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        26⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqkUEgcw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        24⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuQQkgAY.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        22⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REIIwMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        20⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQkIkAsg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        18⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owgoIgYo.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        16⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQMMoksw.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        14⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIMUUAAE.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        12⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSAkAcwg.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        10⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAQkcccU.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:452
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5000
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIMsQUAM.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
        6⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:720
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puwUAwck.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4460
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:636
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwQMccsA.bat" "C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2608

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3240

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv rrLScHJMZUGDD7irw2G2mg.0.2
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GUUUIYoo\vWQUwgIw.exe

Filesize
182KB

MD5
93c5b6c1af51fe44ba610bb32419e940

SHA1
9d54fe6ad4af59e42c7cfe2e52d0720d63c376f0

SHA256
994dc24bb1ee5c5dbce5c66eb3fefbc811a4c6df6b6e1182b7dede25f854896f

SHA512
12621f7448442011e2ab9d6336ae32ee1d4d27ddd2978b72518b9061441cd97dbd76e7dd433e0f21397d8399f9e2f27500ce51094e957946cf88674f56fe0fea

Download Submit
C:\ProgramData\GUUUIYoo\vWQUwgIw.inf

Filesize
4B

MD5
b13883a413a5eb6846bb852b9a8b8335

SHA1
2608594138d648663ffcaefb9a1755a89f713fe1

SHA256
2defd4b56387d0e2c352f9ee3b4301922207fee2a5ef5a46499d0340990315cc

SHA512
65be65567b4c5e2e7af43ecd973f9c1290905dbd4da66e288e40f750dee610128855b0630c922e4d88713422a73c2a5bbd6f19c8b8c47fd74102d3e5bbc863ae

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
207KB

MD5
6e5cbad8459da3f9cc9a3dc195f508e8

SHA1
940a55e4792e62af5b2d17da9d9d4ea0619d76b6

SHA256
0ab35301ced6a3b116db19b7fecf6cf4c0d496ff868d05061c91b4b1a12b9d47

SHA512
8d9d779dd488c83b6bb78e2cc2bf6994b24ce981e5292bfb1de9f8133f47434acc0d568aa4fd80b8412d1186d3d92e5ed14e7df9e32bab07abb5f00a5c29a211

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
794KB

MD5
02c2f9b1235d77432a1e088aa53776b6

SHA1
723fccd3f32ea7deece5d64be50a6af467244c5f

SHA256
4ec26b3a2afa070032bc63b5a7a28fd9f7ccae781ba0bcfd010e83ae41e349a4

SHA512
3628daccd247088cb41653f178c08a4baf5f285971f12400f2d5bdfd580caa9addaef48b25e20fad5ff0230ec51fe3386fcb00ccdd06839625fc6f5ad5f78607

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
803KB

MD5
a2e35874766d2ee24e31d4c09a54bad8

SHA1
880b7e5ea9a1c1408bbd3e8b977146fd826fd7dc

SHA256
b661b8f30d1884599f810dc26cec13cd7fb74d0674c9c0d0c530ad3682f25eb0

SHA512
6d478cdf6fd9739875807503557dc0af060eec9d7b8c7644442137a901b5c2408af85f14e0849ff2efb7eb5de2a799b48e139a23906e6c919b36c3ccf23c8d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\128.png.exe

Filesize
200KB

MD5
4f76d5cf1362778ff16ca02bd15d44ce

SHA1
7e87217a10ce10acb3f5a4b62e81da4eee26fbbc

SHA256
4323730edb7ceb15f9d85d99f5bca27c6d6278309747384b002a1ea30b0c3c91

SHA512
cebf5a0cc0ec7f82a0b5607aecd7e953116b18281fc6efbc061d525baff98fd05ed314bece71266476d42ff1b718f9359cabbf7a45085bc2b9a6c2af5ad6d287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

Filesize
202KB

MD5
edb56430c0e5fe38a9a22daed150fa90

SHA1
1c3799ed19d54d216e0196b51f0bb64561fce4b6

SHA256
cc6c05fdf4b88d59e4b75ca2d46a76439b992326348d639cedfce12db39248b4

SHA512
b8661b50f66d6f52a2628f802becfea475a940e76a49166bbeae89c99e70ab5141dee3b4c77ae59806509fd77899a018b2833f9f43b4a486d4995b722238f981

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
189KB

MD5
928641fd15df3b7bc405034ea6c2b3aa

SHA1
5122a7947c191c80e3cc2c5405e9821fa8c7b623

SHA256
b9e2bb52aed035748f49153bde4175eeddd502a5804865af7a412c4415266caa

SHA512
74e8e31aea2e8fbf59f34bb73701b491713cb026dacc7018f73750f8c0d9ecadfe15bc06c6556bd57cb59b77f51b38656dd29fa60de8c626cb4bd640979fe371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
182KB

MD5
3ca75e9d95e67c6dd478cc33663b0dc9

SHA1
8aefcce87e45e6f6dc227b61cd52d4d51a636cdf

SHA256
4147b0c9af843a23c4a0a70aa65172d22d8b48a23562a5be0e83c40d22eb1a96

SHA512
db90ea026b40077fbb9240404a40554afc92201eb0c5e6f14b0d334a62c1627f49f6397b85d3f627042449527c27ce8395dba0e750f7cfced8d2cfd31d0f2b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\62d49eea4983eccb73a6c9729ee958fc57b786069993a72723cfcaff0e8000ff

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIwQ.exe

Filesize
518KB

MD5
95ca32c339a4d6ea7dbcd6ae0c905adf

SHA1
f6ede85c3da5cd0aa12385668bb06118daef1fce

SHA256
6105921e3cdeafb45ddf6e10d358ab2548f80442211ef055475278456116eb1c

SHA512
3a6132276d03a849b60c141d8a5c74364df951d6352831c8226f08b123682a60f1df918d780c8a1cb6e92503a7d774ba87346be26c5d502108ef9bfdcba214c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYi.exe

Filesize
206KB

MD5
46798810630ad2682871b112354dddbf

SHA1
394eb0db7d69725ee0e06fc1e7c2d70d7f1fc9f9

SHA256
42d96cf69cc1cf42509c2012d7763266032a795f5207cd6dc9fb7b3d712d7a28

SHA512
2273a20a630dfbd5a6430e69dbcc42fe0e96498e5848e433206ca403616b1497f7293d54d2e7b63615ec6b4b6a37b05dbe9443f2be032798d03ad892694d2d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUQa.exe

Filesize
198KB

MD5
d6f909f480b5b70db36b724ad58170ad

SHA1
786039cb2de46ac16da6f8b8365070dab86b59d2

SHA256
647e96ea27d276346c8932d50e3648ef0ad6adb0c99b72c6e1f9c92c23cd892d

SHA512
8e23b0db413bb863f79e5aadd9c0dd9b79cbb511f0cac3042e7becbbbececc3a5c209b871a54a0d44cadb7207b1325923bfec5ac67117e7976227a309f4c0415

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYO.exe

Filesize
184KB

MD5
cf3111a3e834febccbc991903dda39f7

SHA1
6d457c428196e1227320e424ff4a63a717598347

SHA256
1c154c46c6e9993d49d77e1f150ca0cc6e90bf36c112ce90f3a96057ba9d4df4

SHA512
7cf2602ccab3a5a075dfdf72dfffc6c2c40934ac57469ebe30e8a89a8aa379cb54699c8bf70b6b5a5db284c03ff744d72b3da35c4f99d65f83cbca5c070cf1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQEy.exe

Filesize
311KB

MD5
dc845f2aa8068fd77a6999c822d8aa53

SHA1
ab26f744ae15c790ac3c18d2608180d0776a4bf7

SHA256
fd531dac46f6310a7c7429deaa667cc37762b6e851e4697e7504538041c188f5

SHA512
24ed0e14e175efe904a752db0f3da5116d4e529a274e3f17a753b390195fd577e6150b1ca64b0d01df0756699ec9d27e24ca2da1f019bd5a6eeda27b4b3a1a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQkq.exe

Filesize
220KB

MD5
9909b25304ce307c8ce8be2da616489a

SHA1
9425ae3e575a7f5afd201e101255258f610f5fdd

SHA256
6b5e361daa8317cde53e86f0c031ea2d06d239ec2b37e207b4dc06d12ed6913c

SHA512
dae97c619efa1a2a826fd43d6b970255ebe041759a467a0c33a40fbb61a305f96c8e849fe6fa4f574577977ea750972e4381495ca39eef1354fdb7ad9ed04599

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYoy.exe

Filesize
218KB

MD5
3e13fdbfd79061302de7656eb3639a4c

SHA1
7f152db3c62653e47a46cbfc3f61ccd11d46cebe

SHA256
d43be9168b87ec31f7e57a931b726414f20fbe103d6d0973bf936f99b0020aa5

SHA512
d60657c3d625b62b32d1c59c6ec405fefec2a4b98e534c28b4b420dc0fd3107cf74862f9f53968a8c6d7cdf0b7e8cecec0800a0721775cbcfdbf0a3bb5df763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkIs.exe

Filesize
195KB

MD5
e418c40a75eae44a6d83cc8ee48679ab

SHA1
3cf527b84c750fa816920339ff7ab79fa61b965f

SHA256
3e8382cdb3cc77cb305123c278a6321bbf37e8e26f385b46371e9f84166bffc8

SHA512
afdde3d81705c086105e367540b2005fcb5bca00a1ff0bcd4d7ed3c5668085753511e3849753cf813d7841738fb17aff7f159a5077443f25aaa84131c79d1349

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIo.exe

Filesize
186KB

MD5
7c40861db30657bb74a2437e0b2ff146

SHA1
66fd5786e80fe6a824086724c3ba7788b643a672

SHA256
9883db40e80a0e1021170f46b10022e4b81f19d6b0001b7aa92c407def13eb0d

SHA512
827c2a4a03842c1c41ad492df9c57e2c8cbac4a8f79c6e8c87aada626acc9e2ea28205a4af37b73784679ea984a7b2c4f7bca8c5b4b30bd63c88839637602c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\CscW.exe

Filesize
355KB

MD5
78e15c009578c5a55ec14be43cd5e5aa

SHA1
1bb9b69f5a45957c03115993bfe5604498631318

SHA256
013d6e1c6b48687529cbe4669bf0ad02f4dd6951374c2d35e445467f8f6d7d45

SHA512
4f7d28d3c4e0f23f5b3fb5ec47a722f2abeb73ab4b26dfa05461dfd523a75a5863ed9dad60ad1636b70a51fc146a8e9f967af01f48df0436597377ed60696eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwYY.exe

Filesize
227KB

MD5
9fab79d1c6645f93b0798921b930ee2a

SHA1
317d7fe31adb1b70748fa5c25f4dc9e9b0effe4b

SHA256
f75771b7e79940b5542cc3dbccb78212a9af0d060f23189cfe36588df658b515

SHA512
ab9438d5464b4fb511108d9e0d36c80d3f1a82f9680476a35d0cbeaf5c8d716b2258ab9ee4fc6e12d0765b248eb7ef26a639d255d7df5887d2e5a77194deea88

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIIk.exe

Filesize
201KB

MD5
6fbea583e12c56621fcac17dcba6232d

SHA1
f4c32acb8677f099ea6453e62467ce578a20207e

SHA256
3aefa8c4c74f3f67985c04882e71d61d266626a26c24792ee38427b2b52d8239

SHA512
c38532f87dcdcfefc2cfefc8d5384630a76867c3bf9fdf99b9287a71c539d977a3ba9514dcfc4bd8cbed5e9f301dd144be015f93c232f7152d76b9bd17572b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIIu.exe

Filesize
209KB

MD5
a03656a812eb03673c1a639d512d3ca1

SHA1
446def0531aad042d215f43be04f7ec885834683

SHA256
8e3f21fab2905e1d8e3d03265fbd421de7be11763a1e2cf692d476bc02a18f89

SHA512
d5a2f281610a4c83514ca7783ad3ccef56361668ff793c1955e255a29c00800fe71733c154237ab9d59f968e0e968173e20b23dcc4cdbe3c24a513a0988d3a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcUO.exe

Filesize
199KB

MD5
be2ff1e2b3697842211283d450aa62ea

SHA1
54c7dd374916e2c65a4d7a962f12157971da67c2

SHA256
d86f838c14c07a4742967a0073eda88fe9ee4531133fe8b01947c37b63a1645a

SHA512
5a0317f668a69853cf069ec8a37bcbedf3fb7be09ef1508d76660e48002dc0be4b1f6989ab539d7c1cc373b3e2f508f28887d0ac5a9e1b8f230999b9cd78c302

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecwo.exe

Filesize
830KB

MD5
de7fe03d83ebd998b108761b5c6236e2

SHA1
cbb04418ee013152c99b6aa2dc1ceb01254794a5

SHA256
f15f9ce3755f107a27962c106468eb78be8a70b2aaf9806d01e5635468612a1a

SHA512
1275bf5f1c8ec67250627132ae3b518fe72160d1cfc7fd45f7b482ba90fb0f0a64b77daf10be525c5d8e75e09507576f87a0e4ea6cf96c1c12033ef02bc0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMK.exe

Filesize
214KB

MD5
abacb13045fffb0c49ee479871999e3b

SHA1
4c19f3524893f65b95aa548441044f2eada96bb4

SHA256
0f17a69823dc891e483e873e956cecbbbe4ef3b3086d79b898abc392a9645aca

SHA512
8156be0540b27b7f258df737540bbe6d7eecdcaaca0ec8bf4bdd2971b718b81fc5fc5ebd6b19c1d5b9e9ababfbe4c18e99f935dfaed299457b51c6d536df3943

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMm.exe

Filesize
192KB

MD5
dc71c0b93ba8c550856a0735278d9b02

SHA1
da19b8b708649848a53a11256224d60a3c712890

SHA256
1a5faaa328ef1e20a62a4ed4542fcda057b2bdb5ecd85cb3e5b8fc50b8c445f8

SHA512
96fea51371caade3751863bb72f55ede04b5d5b7ce75c2709ba4835d099d69dea7bc73d1a2e8dc3b0409f4a3f1b85c5597aa9954418a03cb3410adde3d79e8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgcE.exe

Filesize
326KB

MD5
af5c63ec9a6e48621bf5423dc49af901

SHA1
55d8df935246720946b28e968b61840e318e2032

SHA256
a6e41465c9e5b06522d108f9444c329c25b15df0ddffb8078483b149925bf1fd

SHA512
7ffb22e0cb1a22a0c01cf79e9ff01b84693001bb2d2988521a3f8ef312b15b530cccdc806bfe1344fa8e9224346a63030eb845d25f618aa898a672b832ae863a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQg.exe

Filesize
751KB

MD5
5e21c57fe513bfd530b5d127f190e43e

SHA1
9205d233d9dcfcdb81ede3d0c5a022adaa0f2ab4

SHA256
edce77aa147570f00f81819664de1e0ed78d6a575946e1031c0c7eb5e63fe60e

SHA512
4cf446531b26d6e02dee0c6a218c4f990afd74ba8b56dd84f142c40e320ae0aba8aad762958eab834247a78bd9f5f4087d15434e34d6a19fe056a9281b5a3b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gocq.exe

Filesize
183KB

MD5
83dd414b16a4139113ea2af90dd5cfd0

SHA1
4dfb8479a41bb8b46e15d89ca0ac4b52600d409e

SHA256
788057ee88bfdd27f64b79bbf9a9fdad2d133a12903870106e6b02d4b822ae4b

SHA512
6dd0e8ae51ad8ca2021e2fa891e3bbea078406588ce5b4a6bad67158a58e09b53a07041a05d3a57176f525d98f00b17b288bf085ee136e5f88e4297d7cf13740

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwgG.exe

Filesize
333KB

MD5
aa89227f3fe04f6a56e79030f42b137d

SHA1
dc4679e364aec5585934cf41a0bd76248ab9732a

SHA256
80854818767d9c9868e3721ed0ae439f4d21b15337274083542ec3d9a012812a

SHA512
1ac43d4060d025fadc40fce2029896eb441eaf34dbd3b40c2b5fbe5a9aafec895d8f80fae00b7eee8a5a0acbd7a79a63968fe356d6c5c566afaa9cab82366dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYUu.exe

Filesize
5.9MB

MD5
932d09a488a3c1cea86f9a665d7cc730

SHA1
fa7319b2ab93ec2eb839fccc76cfcedc0286c3dd

SHA256
d19f8574920ff91ee76141942fd2a251e1415d5c67679dffb6782b213caacc5a

SHA512
f7e2288f15c657df9ee3752bcf1635226eb45278c5a6faa8d7a8d5be02d7f41f8378d1ec7c6f436c3b86cf8388036dc2d6d922aec3ed4e6f1eac261f8838b7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYcM.exe

Filesize
795KB

MD5
5f1ab1875670c2645f554f469cadee04

SHA1
00711da7f93187eb6317404775fc33762a9f027b

SHA256
29eacf17d7965b18eac2cf832ea5e701a8afb241f866ac8254691d00090816e9

SHA512
f3e6c52e4292655ec153e14d6cc0cdb3512359d7a99890d920447179dfa2a0e16b400f39a28ba708696a599e841fd3a9825a4a9889c0b00e1db9ca2600c216ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkgE.exe

Filesize
190KB

MD5
b0a51bfe840a1905001eee6353c5bf79

SHA1
5cc7b1a019c0bb80d76ecd911bd83f604c05593b

SHA256
58bf48eebafb8cb2e20103d83122e3c097c9f151823141ca8369d0f6dae7504e

SHA512
39f90e5a9201f2cb1a31b620f908d0131f01229c367144c69b04ca6b7b4e2fb629951c3ba9745f42b0c4f26dc3ad7d498abf48b82c1055897826557f2ebdab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEEa.exe

Filesize
621KB

MD5
daa20717c46ab69f92cd6c0fb7ec4c0d

SHA1
7712971630e435707bc2607235379fc57cf9a848

SHA256
fe1239ae9c9f9b6dedb1bd9f022320711e9ceb5969c93ba76854b84f5484fd7e

SHA512
9415be9cf42877d38aadab1258798753fc30f2b04eefb4cf2e6fc1bea45c95bf89252c5200bc3fd1bd3a898a96f594df5bbe0a13bcf52fdeea24038fe80a151d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEMA.exe

Filesize
207KB

MD5
bcbfd097b8d5f69177e78185d96d19fc

SHA1
8dc809ceada861d63be5db8e7006c24d9cbf63f5

SHA256
cccaf5cf27a20895a8c98735e8a498e15444c8944dde3ce7ad8731f52c8c86e9

SHA512
3ea16f2d8345bd33ab0cb124376ac35e137bc819884b4ad1ecdea69c3a76ad0b1e48f4aab166a711a3f180ff2af9bcf0912c9c875c0046216c209dd576daa324

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwkM.exe

Filesize
183KB

MD5
abf463bdaab36ab0ad8687bb37aec4e8

SHA1
0cf488b8313bd4abdb5c75acb7454352dd6ca7ca

SHA256
f56ac00700ef8261f043d7e2e8e03c3ae98c1502177df6792f11f19c36d9ebc3

SHA512
4c81a31b05586c3b7a1d171543a1977d4d225bc6a3b03e2b72fdae5576c95c00445b176532ceb6dddebc5de4a3bda83858415acbfcda51c29546e76190c578ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMEA.exe

Filesize
183KB

MD5
c32ae0da06abf094c253723f5166c669

SHA1
1546a6e93e800895184c3da79277553589245e27

SHA256
bd2073e245d89a85ecb15e4c9d4de9d2ecdadb83cc7b4fb30ebc8dccce077eba

SHA512
8c06d3bc189ca308fa9a7772335eee7f73de6cb8ed78136d022f48cf2d0a158bd6d1f40004d7e167823fc93cfba681d4187fd8d96bd0f6b48384e03640a42e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQQs.exe

Filesize
196KB

MD5
05c4431b764bb37f384adef105f26852

SHA1
42b0ba5834222fcf2f125927206b19fc8d951c0b

SHA256
0900c996780c277f194ef84092b779e7253ccf17886efe48bd02eef19af43136

SHA512
95d437a0b23846ed10f18f9960bed01d247d33364b038cecc1f3431d3e924d2329e36080c8ef40ae4680ab5c68bedb32184309f88f59bd9012e0154ecdd103e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkw.exe

Filesize
191KB

MD5
ff820cfa4bf9ebb30b7e406baa027e24

SHA1
28d139a60bbe03185113c61598d9728ed5bda1ea

SHA256
2f212a406d1ba5263fa2a6fd36d570783b6fee635a2d1420252ebd02b5149704

SHA512
c71f5658b8d8d5f6c82d36a86e6635cadce25f2e90e919bf7eef87545604023d06e4465d4a02aad2a8d24bd6b4a302a5a5edbf66b686b3e2d8abcfc652afaac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgMW.exe

Filesize
197KB

MD5
cc78cf5f08b848feda161c183f528426

SHA1
d2e033f8675b60072092bee933b7d7efe5f5f176

SHA256
e8d29d86c1fd7251f1c4c00161f150c272ad377f86a87cfd6853c3618bc1e577

SHA512
98f933564852aa7bd052e4430f37d4b592533a60328b3afdbf560ab77ca938b8c3b592a794b0bf6f5cc44ecb30498cf01220ac83b4f09e8c95c9df252a376a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEkM.exe

Filesize
770KB

MD5
f6b3a4acaa54bc46dc032acbd2bf98b5

SHA1
0b9cb59011111fe200649379f2a4b9f3d1cbed12

SHA256
81ed8a5e6b09621bbb9e24ca913e6c139f71019a5926f617aeab1b136df13b01

SHA512
c01aae91bff2bf855593aa265d0c0ee29a4168a9c8db9a72fc2d9f9a3a3f96158468db936a41b71f60c67f979eee45bbe7fd02a0a74c018c7d30c4177ce27e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMks.exe

Filesize
193KB

MD5
2241a6eb7955e91a2200530b2687537e

SHA1
4c661476e7f906f6a095274600b7472b0a1410a1

SHA256
91f4039ba563eb8a7e3aa820beda0441c0fb0ca471784331dcc419349903bdf5

SHA512
464ff6b1ee9992d47fdbcdaea59e23eae6dbd30b429eac31c674d9fe077c138e1cece494daad7c7a9598a42eba376b3b7604e3522ed00d9df5d82f931b575f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OokO.exe

Filesize
822KB

MD5
05acb37a392dc9b75e3d7871755916ea

SHA1
9494071982ea4f4b3c5c8b7f3993155311fd57d6

SHA256
c632d5cd6ec6fb21affb1546a9e5426e0b45682330a8dba9921b79a0daf77bf3

SHA512
3cc483e332871e1c1d76848a10bb0d51ebc70f4536660c40a1d3b7027a129d6e4210317457ef3a172d8c47f781258f2cb72502f23bde645178dc31f5f29c082c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAi.exe

Filesize
788KB

MD5
7fc3919b81d66ecc04debd2ff3152236

SHA1
63148d817efc4d45e35649a90695e08eeb2b62dd

SHA256
5fb1f0b80bd2744ec8ba681556eeb2c902009d7534c0307b587b41b1ee8ede29

SHA512
d9ed5b18f6f863e752dfb3e39d8249d9fb4d28f882635c2f746d57d12e429bb0c9a97833bde00c9a646750685e98d0f2a36394d815405b1374026407c27400fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAES.exe

Filesize
380KB

MD5
d0facf3f26f8533d096510b8063b1f99

SHA1
7ac3ec46a500a4a010074eb9d38a3b9e29482c00

SHA256
d84b290e9a0f89755921d1760a2dad96a931d7441c7f29eea18071d7c66eb015

SHA512
721125f5e8731744ebc8ea2f4d575ed9a632939a95f71899331800209310cc3846ca8ea9ad4c4712308af6e0d7d72706e0b290e0bff0e70ca79b028a2b7367d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIQS.exe

Filesize
309KB

MD5
c0cd73fc6ea6e55725d8c37f1f1e61b7

SHA1
f52633b4168d1ff931e51a42c0286c3bee95cd39

SHA256
467da053999850a00a15de1348545801e238f78cf476c31bc12e1591d8575af8

SHA512
9697ad685d2a8b832322230d5ce28b7c48e8938f5623583075194234e6dacaf2472d956dd5bb19356912637d287bc104c15433c1b2bf031d5adc37812d615158

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcMo.exe

Filesize
196KB

MD5
8f6b8ef3b33efb8bab5985b7207b626b

SHA1
69fd3b8fc4c810dfad8081b00e591bc37bab871b

SHA256
b6e0d432aa94f28779926eef13fd2680a978c1a235f2c86356df951589939f36

SHA512
8e058e1754e824b0599aae820b7f50da75d9f3dd0a4bc072e90fb36fa57fbc26a69252b825cf8eeaa7a608613298cc7569b065271c6b803b28dcec6c3b590df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcgk.exe

Filesize
271KB

MD5
3eeaa74249dfb9363559adae34b78c23

SHA1
cb51972718d70f28ae32a3295492bce8d97ab757

SHA256
e3fc3d799bcfcaccb9644fe263962d1c73fb0ad4fab07607fb834988668e8c3d

SHA512
44499b1f0f9f7e50fbd056d664e955826bd258ae8ef47b27ba7b5230c4b27a857f0227001048c60cbbb4eec3cc09b66ea8f089bd331355f57662178e8e233945

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgYA.exe

Filesize
181KB

MD5
0737b7c10524e92b69013b67225cc370

SHA1
c926bedca19aabf90a25fc31317e062f3c62ee51

SHA256
6edf3f3f01c3771f2fa752721db65aeb80325cc597ac28862097a1fe7afc3ea2

SHA512
24881a7a1d62af8e0d1d48c8f6223df1f49c2cc02dd105b71d5bccae8eb7146403888d81ba61966f597be5006c2be1e6ee4d8817f4fc7cbc5d09c88246a4e662

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAS.exe

Filesize
1.7MB

MD5
230e1dbce14c4d3a5d181d337c42e881

SHA1
eb42b19fb7f9b895bb2da38f8f48a16933f3fd57

SHA256
ce07a46212aa0c7b499afe6efe62bed81bc04288744e83fdaf87a161c4c9a187

SHA512
e108087c9d3b8a8a694c751de47ad8a1e56264d731c4451a46078d506c39dd612e52cd0fa8c1c248a21be79ac457d8f353aa39b7994a29c0f626c7436f12a042

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAQQ.exe

Filesize
197KB

MD5
68677d78028da7ea4a628a2987121551

SHA1
7594de68839db3e8dd105cb35aa9127db1325a99

SHA256
68ed8f751b59bc3ddd25af62abe4ad04d65028f0ae20efd613087d2c365259ea

SHA512
0819024186a92492907ff61de5d3c7e00257fa1d3071821835273c864f561ef1d6f070c8777ec714716128aa0f181434036be847bc311f6fe6ddaaa797abbeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIsQ.exe

Filesize
740KB

MD5
aad0e8093035dbd2142cca84669cd1d8

SHA1
07e75f7f0dc0a64a19a43b941f7ae3a04bdb2f93

SHA256
988d17abe3f52393d420e75617f6a22f5d719502682b242f719fd8f116e5e014

SHA512
063e2454c670840e92f138314c1b8b582807322cfffdee4c5f3288e5baeb4bad7bcb4ffa987ac3ed25025b130c5873be7543beb831394447b1dc647dfd35554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUcg.exe

Filesize
195KB

MD5
a4e5e7fb1374666213003e2d81e76050

SHA1
778ee8918b9496fe52c739057ab0267cf98397a9

SHA256
2d33a1912b80fd01c8ce721ddd38c7b969ab5e482fa7a04c0e4ac232a2f0eb17

SHA512
79e928767a55023d19f9e98940721a0b8757126c7f07a460c87217f8be6a989e6ede5cfd94dcfd8394c4fa5e16c8970adf98cdaeff8eaf5c1284b031c7d7d43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sccw.exe

Filesize
191KB

MD5
652d3edad5131b9fb9f1896e81a3cc14

SHA1
5ac10cb77fa7e8ad8635d9e463542ffd03a58067

SHA256
b138d695ceb0093a503ed7394230c1945c899ff3424c9c4dcee3c0ca550c8ea3

SHA512
c70499bc076e30ba3bd2034f9502727118a283b1f26b41d7d66c3a9b32bcdd40cd875635f12e46c192030cf568150603fa190cb7f4563974f461dbe6dc202b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQu.exe

Filesize
200KB

MD5
5b5f84a9b73b2b35017d4689df5e8c65

SHA1
32ace462faae3ca45ce47afd0e97772b4d811961

SHA256
75484a39303418bbc4fbd14099f6e9a17988809fb5dda4575d22a9d38a9e766a

SHA512
68d4fba60206bf511df711d78d29a1342b811685bccf9411f8c2c2c794b47e2ead3f625f006fbf0190ce51c1826174cd571660a297ed2c7d7e5393e26f63a8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsQQ.exe

Filesize
813KB

MD5
9a3d0b61e49a677e11943c4fd20765c0

SHA1
5b5e4906d05b03c6795d121b8c62c58b6c010625

SHA256
ee4f67ba7c8460d39bb3f8ed7923edcf45e61820e0fe70102b7b1d1b57cab22d

SHA512
6ee6290db1609f891d8761733f44cca47488036439a8271d3270d1740042e12bff7fc55f3468209e5bdfb8b5403a50f45e7ee6e33ac35281d917f100df048d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwsE.exe

Filesize
318KB

MD5
3512754a7e8b1f44984ed186a8beee77

SHA1
7304f9742ee5b442e2a51d4ad50e81466cd7e061

SHA256
bdb721c5dea1596ef440220c94d5f46a8b3e24f8807adc06e803338d04af431c

SHA512
cee53e97f5a7a78f703535b37b472a4647394d986e80fb16da5932f2d4571131b59ef2f7f687eeb2393bca1ea4d810968ffcd87e4e67c6ebbc2a037bdd7e03bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwQMccsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIk.exe

Filesize
184KB

MD5
d4caad586f71f34a1df5c4ae6932f2c3

SHA1
6956a67f7d0f6e3aa39cc603cb9bb0779fdc45ae

SHA256
d5ee0016dc996652225d0082157524cddd47753862aa0c49f6e56258752c2c46

SHA512
28bec4f2cfa4ffbb7ff7a928100d496b1b66e68fa1b809b31ae061c5ab10f0c962f0cc9c39c73df23a00dd61419a142a783cdea08386e49de9fc2f87460ae32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQYQ.exe

Filesize
193KB

MD5
c7b44fe23bd6237216a6cc759595361e

SHA1
c0bcf3905b8bd29410e2ba39a28ebd345362d769

SHA256
0e3b546d5611c0490ccf85be36c6b7ee2c34f4f57a91f5da11fafabd513cd578

SHA512
216ba3db782a0f5ba8fba2614da85b84d6aea17206bcd31fc7897af2168494d76d83c39eb714607975f63e2b797c2f79724acb38c60b6000536d655c887ac92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUUg.exe

Filesize
202KB

MD5
2c1c84cd0bb71f59726a2424f4a0971d

SHA1
794b79a7f4e32c7e0d24c2f37701f4a8e4afb5bf

SHA256
0ae07bef53abcd20a1286ec7f0137e7dc2f37c12f08a29081ad992b54fa29198

SHA512
12c018ffe1492890a7206190b3d981513c571e24c8a47542062aa40ccffdd3004c57a603105ff0809e7de18fe85687191804d904586d808fbad1a7bbbf7081d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUgI.exe

Filesize
188KB

MD5
22dac78b0ddf9ff3a3916197432c17a6

SHA1
dddecb5613e95c3ca979e293ce7d4f1998bc9461

SHA256
96f6d53950aba93b0063e6147a247e9f4649edc0195bbbece9cc7a3ec44528e2

SHA512
03223985d8944bad0f096fce0b73162664576182c47ad0845b8e381325d900efff44297d1a286647cec171badf3f86296e20aa87cff62f225c56c30c7f3db58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucge.exe

Filesize
207KB

MD5
43e458c43e4d42ade06195d2878592c9

SHA1
2d68830f1d71b44593fc05a7a88d0c4b63d95120

SHA256
5b7358098cc624f85d5dde356ea2ff5ec52deda83985ce3b08a338bd2a2a1b56

SHA512
0e6f319d69bf03c610a27f8843d121c0bac015bf28b7de968352dfd1969b8114d4c171e7d8d41d5b7c241f12a6cdb8d7e1d0d0ee796c12d357f9f9bffeab3ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgUa.exe

Filesize
191KB

MD5
8e7bb542d3c54acfa4ccd24295e38934

SHA1
4b634b36a19df22b9f6f9b2b71c9a11238664e04

SHA256
3b09a89f345c2305d26072f01efb33cef876480db8d90d04fc7440acb84933e2

SHA512
b2b4fdedea19553281df0a8be3975d55d49c6e76995156bca30b90ecf09e2ce9d9af4238bd35e478e9209ccedde276fd431bcd64d16c418166192015715b7a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\UssE.exe

Filesize
195KB

MD5
cb7821e1ed85f76628a75399899d9c16

SHA1
d2959760db9e47a07706d696ebb3e016b3eac36b

SHA256
91fb8752ed9e9bb70aa0d7c87803fae4fe03eaa0cefc0e45e23a8498c4c6e907

SHA512
acab6a8625e7b0d30f557d91e8cf6fb0fdf4c25c8ac85dc05ebddbff771ef1c08e72cdb2fd1ecf125306ab7e65d32611661662057b8732d6bc648c2a62d1d180

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAAq.exe

Filesize
645KB

MD5
eb5af65a033959fdc116d0d9cf4ce928

SHA1
b2de8b2162e1662062702f148aea50631ce57feb

SHA256
be9ea17812415dbd6ddd6efb1ed7ad20835defa0dfc46edae190268090bb7221

SHA512
9b1465a5a8640ce8072e9c1ed37aab260284485aee0b25850ba4284c7eaac6c41fadffe98b7f0858de49b4a65d5d3c6e79cd560fe79ca0d59dce112ce933efb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEce.exe

Filesize
207KB

MD5
055a53b71273d7352cf62ab4166e1172

SHA1
1831001d43873febf88daa609a6552b1613fefdd

SHA256
3e44dbd614c7fd88596d001993295ababfe36c594d2a8567cd94a7a3b65dd9d3

SHA512
9eeef6705f2919f4ee69233d160556c641be4d20994de059f6894b5d3a4842b8f4f37e67adaafd8ce003c066ad3c127bd1458077fccffef8420622059806aa94

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIQw.exe

Filesize
567KB

MD5
0fa927dcfbf76e4370fa691606bd70f9

SHA1
7afe881312a9a4ea053c7a6db9ea44c33913a30d

SHA256
5ab548a56a0080d3e5402af092a7ec99a41918e7293f20229b688609a8898505

SHA512
702bdee53aabc7993709d26d1aa85c569398ac7feecdf87fba2c84c00d02f27d8ce49f7b744d430228704dfdb4a63835432697029b2f6715692ef18188f50b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcgW.exe

Filesize
321KB

MD5
b3f856f8d5c1161378019013b67925cc

SHA1
736de6967715f38172b2c06f7673ef71f147b462

SHA256
e1ffad872568dc6227dae11085b754496db772b288a6bdc6bd9ed93d8498cfc0

SHA512
de42c69ea4293ce021daf944808fed02cbbfe3096cebad6318fdeccf8fec7be81b29c430c18b76f82b1bfed6aaf87c208b75f0c2476e28c7209444a4fb15871d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkEO.exe

Filesize
462KB

MD5
ad687db106914a7d08b923028a21598b

SHA1
84621c50d8c008e7453ece0708d3d6698d256399

SHA256
70b0a0271f92e62af37834889ebd0d61273956a85898de499aaf05c0de377125

SHA512
db9686e16762b38e1584e60197523bb4649117d6902b69d1efd935d75f55095de09fdb1c10751cf341085fc5a0613655ccb9a130fc9239d74433fecb01227195

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoYm.exe

Filesize
828KB

MD5
341e086b58fd08ee064cfd26d703ab57

SHA1
84d06aa2fd51bddf9d63011be0c7b1b607141feb

SHA256
5cd0dfc02e74d9831e7e7b16e42effc4f33c09f08204a654f05a2956f20be6eb

SHA512
aa21a30584c027ee4737c68c2556b2d3694210e57d9276713250234a8e0a6e5789cd9515f5d702a1fd017ca66f1044dc812afd15c57948dcfb6526f27162c9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Woog.exe

Filesize
212KB

MD5
7c3bf7ea777b91a1c8352d43db9c464a

SHA1
344d72fd372609a153a32cc7d7501ae772d250ce

SHA256
8fff030a7af319a0fa03b68bc704d919c8695658117375178b1fb1c33ced7d96

SHA512
afb4249cffcf42e0ae5d1174c8d220506a9d1dd63b4f386feeff0854a18813f2d61e01776a18e78835ccc936ab6c94b47b506c9d42232b39382f5ed8af27bef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgEc.exe

Filesize
182KB

MD5
1e6f55ec0e770055d0688a0ee0e47e69

SHA1
557e98296160177a58432b6dcf49d03ff919baff

SHA256
e9137760735ff65d5a8187d41def313c362d6a8e45aa48fdad9c914ac6c859b9

SHA512
3e84ed4411e83423a7bd379741768b59ebdaf9bcd0e7de428af58f2016d207cffbaebdbc96fe41cf0eaae489c4e292584fc89e6692e8634dade35957b600fc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAMO.exe

Filesize
200KB

MD5
07817f50ca7028c809f53c534084371c

SHA1
9a772ba7af6aa9ccd73d01a848c5ba253f00946d

SHA256
90fe574d141282e05fe60d2b0321756ef5357e67b77d301be47ee318ca1bc4a1

SHA512
e689cce900b29ab440224a0dd51d4305d4304e97b3712378efd3788cb54c15c475d559f3726b8977c5ffc4f6227cd6e983d41dcae0f3872f81b2b9462f177470

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEkq.exe

Filesize
5.9MB

MD5
b430fc4ba2564105433534a25daacd2e

SHA1
0ed0de992d6ef45c81b3996e834b20b8f40a2c2d

SHA256
a3ed0abe3c9e69ea1e7d1cd4e0db048267910cbec446bc6a703f03ef6a1e8b54

SHA512
b52273eaf7fd6c49aa49288961375cc1eeacac9d9875ea49056e3059347cca5c9661a35a4a9a63ab9e1ee1914029767019538ecc9c7cf8d29f58f52a004beaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQQ.exe

Filesize
199KB

MD5
1457e3f6af005645850c435112d6d7be

SHA1
6084261f55df1d373cb04e7ff8e6d86a003f9bd9

SHA256
32a42eff288f7515970f035fce5cef91dfe825ef353840d3617b8587bb727334

SHA512
eb3872c9d2e7d92dbc64fb7e65badfd0eba72000171c7a3434b153f9bd6a1891754130a435eed07699e4076c847616809666e5460962efadc71a4b7bdd72d061

Download Submit
C:\Users\Admin\AppData\Local\Temp\accu.exe

Filesize
204KB

MD5
59465d0d1e01a6cd97f8bca45212a62c

SHA1
a1e93f28c042aa90095e5264e295f35a1030b7d1

SHA256
44b47c2b8eaa08fb9c87d9d83f08acefd69ab7008d465c734a7e6c9eaca5ec52

SHA512
b991fc6efaa2163adde7cece65943e989c38942dc737317b3cd5bc5d43ce305faf897e5484dd9982f89c676c1549540c1c8c97a895c11c7fa319ef4c22bfad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAG.exe

Filesize
199KB

MD5
f2310aea69b3ad88647f9c0fe13a9e0f

SHA1
0308d2368a7e1e1eb0e6b690fc2eebee5e442c3b

SHA256
b1636ed9e24958bad5c3508e3ed6315acc8665287fc4ab63e4123b35ac52eb72

SHA512
c49ae0c7fe540b33683643705280b6ca2b6075227f1f1ab27e793059acf1ca65a210e6c4b81e6d66d5fe6c2465d5b9b41e6080f38301f257b781c208115ae424

Download Submit
C:\Users\Admin\AppData\Local\Temp\awgy.exe

Filesize
193KB

MD5
bbb573ec06e80af56c649b38c82a076d

SHA1
6091112b3e4bb82ed8d2ccceffa77aa4c2d85a3e

SHA256
4710b87932dd32a236857314bf1383c6066be7eaed9ddae0194c32c5179e32d9

SHA512
4e41c6c3e576adaddcf6c317f2a4c15a538aa217d499aced3d493d700dfc43a3b7c845d5e387ded5809ba39ac615373467d5da1ac67e2937d74514bceabd674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAoU.exe

Filesize
810KB

MD5
61839b3648fcfa7845a03239cd6ede42

SHA1
7f7f703556babb176ceb728066d0b852254c0bc5

SHA256
6d0ac7aa0a2203eb2d42512094932d4d3acf12b64107849a0664161ab3374d61

SHA512
38099e93545d758a5a8f020f711bd769d2284cd43e6c937ae8a207867b1d6a2041e6ec3d160c03e0f546b15c2c75edbb16c1372e1a4f9403f42110c4ff8db02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMK.exe

Filesize
198KB

MD5
cae346f2f14cf511a63876c743d210bc

SHA1
1a6d573b6f153344e6f1883ac21e3b08bcbc799f

SHA256
21e93a658a2d0e7b4d33de751972c2113cb9b8240e24c07eac1feff0ba6ed33f

SHA512
27f42dab489edb167504c81d9766d27f6826338d03cbf91103cc97f58ea8617699bc932de9b7c2f4fec80189f14e2bea73d7e0cf5f548fde777b0389238d4810

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMMI.exe

Filesize
435KB

MD5
98d0e4f08bfebdb11ae1506be3582441

SHA1
cb6fd25bd265b74b63881ab0d368ab76dde7f1dc

SHA256
08c2715f8d55871fd269b46fcf8c9af877e01b1b1cf25ccf3c4064e0e5a3528d

SHA512
2d8b0efc83ea4dbf914fd73609f7bcc6bd06a529a05eed932d9d5fe4813a1f51569c27224b91bd180457cc1ca41620bf58888efe04c81d875123a4ddd87ebccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYcU.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIgE.exe

Filesize
198KB

MD5
59d28c5a91a3715f182a3890ac03959e

SHA1
13014a3b433138bd62640f4264991ecce9bfb2b5

SHA256
802a68286bbd4a6ef705e092ce29bca29a67dc16556811a53787c11a0f1c7131

SHA512
876b999c68a32175489b75d34a09b29786e7307bf1aba95beb3aa842f0d9050173acb36aec60026f94b822310a2a7d32c2e193df88869bb4b7147d7289d4b2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIso.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUQE.exe

Filesize
323KB

MD5
561718056de3a60cea47d8f81d15a681

SHA1
1a873d2d38c7777f9c0d9edade61832843683a5a

SHA256
03fc741a15d55abce3c0da2593df02b22493abfbc902a33f99308bf2a5cf59b3

SHA512
4c0c8cdead119ebb14618823aecbc588a6c81ad65e07b5c6ec2ae896ebe12466cf9def2e3ba62bc572da7a740c7cbc3d9781bcf0072ef30d7581ffb3fadb4216

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUQq.exe

Filesize
202KB

MD5
420fecb992bd2028746934411edeaaf1

SHA1
61d50c918b9d6b4bb4573fffdc6d2d5ab3baea18

SHA256
9dd1743638040f01e93fa24474938e391cd6174acc7b6f421e55ecfd0ae98bf5

SHA512
d35afe5511065ee79dea107013baa30b689f62ced1ea6b2aa365069fdc5988c0275aeeeab62ab00fc5f79b36049c26957634f49dc426ef090510de0388d27315

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAk.exe

Filesize
428KB

MD5
8213cd1348c91a1d15273ce81796e0e1

SHA1
758a9e618c408e12da757e5389267a10c6172786

SHA256
841a025d5fb9056717663ab8eb07e70d5af23c52c87cb348e9e31eee1873c1ea

SHA512
2161ec486c5a1698849ff04d4be16b9abe5c0c95220c7fdc550fadeaaf54b3b57ec043f0cd54419968836771243e16169bc8e21e2d06b01d12979c49073db9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUG.exe

Filesize
200KB

MD5
9e35a213f0e1a7b1ef8d7ffaf9654e6e

SHA1
3b6c4c56d3da2f8ee394c9e5908ef15cbb1acea3

SHA256
03aa6adad32011cf57614dbb4d8437d69fccaaa0510f348b8247f97bae6f0a96

SHA512
e55c3fce11ae3b7c8dde993ad9d0377833e5998ccdae55e2c9758a9fc62f5cc5d8912211394343f138fa1bad764b62035a2fae3955c325baa6ed5643a44b53da

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAMQ.exe

Filesize
193KB

MD5
5bd1c86ca8bd252136c9fdf0df6fa8e6

SHA1
0649a452457f8778d9e2c05fe98fba0d800ba183

SHA256
efaf75ff1dacd40daa8bf3d520e0efe56392243ea58553c1ce5c122f60c0da0e

SHA512
075a10e3170f7072a379ad553dba71ef59747979d6e7df6d096a96892ab2b5dcb1c7c0e38ac09104b5c9d8ec8dff2ddb75e39dec455aee3fb5d7bc82751db29b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQge.exe

Filesize
204KB

MD5
f865e9d7ae77176261abeef1070e1771

SHA1
a4f887a789d79f5410239d84588d01f7c31cce97

SHA256
032f7dfb5507e3114f52966113c96a6cc68e0270225f04b4c0c0131b873058d2

SHA512
f04040935bcf31b76b1e9aee3a6955e984dceac9a9139fd33568a83151ec1d33f8ed78800aae995cb30b09082d07161684c98572956916094aaadd2186299aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQkY.exe

Filesize
657KB

MD5
f9c3287d85d63e75315e3c9ccc693b73

SHA1
b9d515aae65679f2ededd059e2428db72671ea93

SHA256
f8cc60f39311853a8fcb271b23d78cfd82b18024321cf2e446f4ad3ba120c92c

SHA512
aa3b9e8f0a759a3742312d127a70772c585f99ddafd81c7930e0bdebe81402eec1b68338de15712ceac4aaccedec58c1839cd71662c8b76c4fa9a9df06236cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\koIW.exe

Filesize
625KB

MD5
07e94fe5cc35bbe979036390c33ef241

SHA1
4653542a3a8e68186aa996246d726248d76acd1d

SHA256
2f9d77f5c19647019ed40cd3f5fb6155319ce81bef3786915f112539f1d8090f

SHA512
8e1345c45597e04d695c335aea4c9d8473249cdb5f06b059998931dadae5e6b43eb2150e4641c8f0f18eb9549a8014a5a137c8ef9e3af284bd14380929f23bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMkA.exe

Filesize
202KB

MD5
5ac17bf903fb591ee09803050451b0cf

SHA1
53c42f2558cd4ee9dcd0dfc0017d1f2bf30da05a

SHA256
a6d7f8bdc3027a906b412885aa4449498b8d7b60019c7aadfb2d106682e78a71

SHA512
016f4bc0d69d23ac02d4f4ddc58e7ae4e236ffc913a55d083a12de45507335cb54d8f58167a5e26651602e712ba69ae2ac36ab0b083e864cba9d5f150f82effe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcC.exe

Filesize
222KB

MD5
5cd4bd2a40b1257f301892a906f40bcc

SHA1
7319fd1b5fc834b402f4d3c6a6a9fb33ce9172d1

SHA256
18233e91f14ad5691bf867160cfc5b1c25aed9e5210d76f51e67da354f677ec9

SHA512
bacbd77f6875859291165e2db99a1c81e03cdc0e359a6c75a34b67566e243436b1c13229eeee1ed1dc2a35956a5cb44a66fe7c0096d13fa32fc5ae81f7a45ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mksw.exe

Filesize
189KB

MD5
abda3a70f806ab20b2c66e8dd0261a43

SHA1
4cae62396a933b421948adbc66945ab153a8824b

SHA256
b454269d1ff9261e86bbb33add6f2f18fda7f6b2920bc66bd6617a02ce6211d9

SHA512
00d0c9fca28a4d33bd715410969216950fab29c86ebd4594a5e8b5794717286d56851c82af3005ee9777279645adb5009fcd76b8621c9fdad0d8f87f4b9956c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUoS.exe

Filesize
197KB

MD5
2421055ccee99e205fcb8b8667977f30

SHA1
828badf3cb5dba75b1e7e9fcebbcd960af9eda65

SHA256
d1a46b934760a9610ff3c16921441f503235730f3d659315b3148e87a208f275

SHA512
e4b74d7b5ea8956c539fe3b139c143eb8973e0ebabec4c071f316ef51e64cd25cd53706ec422293735d05840516a8942f4ad77ecfbb60ed190b67c1372344a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogYE.exe

Filesize
5.9MB

MD5
9729f93961bab626010504fe60751941

SHA1
dc5e6cbabf920e228439973140b804ac8aefe057

SHA256
320bb53ba8d60e18c8cebc3a40470a68e8eb5406198a835a6a19d08a137108fb

SHA512
52828932ef0f819346a6438b409d3c8729ade7667a36a484957c236ac6fbd6111e5301e2e2beef7b258cbf8221229d2cd1c86ed9ef5157a42989340f741e1106

Download Submit
C:\Users\Admin\AppData\Local\Temp\okQu.exe

Filesize
196KB

MD5
deced348ba8fd0aa4465695c0a5c9702

SHA1
cc8ed53c60411c78eed445ae459b70067acc8fb7

SHA256
4858634c42128d90362777ecc212198ab02e341a2cf4bdd3fd31799162178238

SHA512
5cda5b3e78a3eacf3e31dd9e1b41ffbaa9ef19107133f3303282c0a0e3dd4493e0b46786b704381af54d38f53c55ccd6684c4a0bc57cf2ee27f4955c4812c713

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIou.exe

Filesize
205KB

MD5
265e942098fd1667e6969f0a255cd7d0

SHA1
31650d08f64742220b60cb3efafc85885806b504

SHA256
4af9fae232f00085537d89dc50d208ebd1c8b8551525ed9bf8b20dcbcdb12394

SHA512
8b747b676028ab88619419bdbd4966db75bcc0cad9bf10f6e94dc1326242e2e2dd056e40970b589bc7fa837fecc2a3db6bc6bfdf34fcef907e66364213e65414

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgMq.exe

Filesize
213KB

MD5
9e5784dba34b59548a34f6f2fd254d92

SHA1
2989586f774d81973c589460fbb418c1acf24f00

SHA256
b27523418b3feac4a004ca96e33aeafb4f852f7fa371e94b8ef6dc6aa4bc2d8c

SHA512
5c7fd2564df17e3ef559fa1782f1e081f4868a95043eac6db12f8ea7ed1af74a16e014b6712cc95ff9ac69cc4a44f6315bc3a4c7bf962f4ef303b182751e3f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoIQ.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoQC.exe

Filesize
193KB

MD5
b5af8de06c15ece6d3faefbcbb1386f5

SHA1
809a1c95a80769047d1002886c9417a8a8854a90

SHA256
e5157f746050aae4c245fb89493d150d60eb75eb0432ef6dac98150699a28a5a

SHA512
8f3af17ddb04850ad1ca947920b79c945179b571807059e4e37b540ade8b053330c0df775b27a4b97ce156ba13b7d870df9c503024386500e89bf7a9df95b267

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAIM.exe

Filesize
656KB

MD5
19e6cde64ac44eb46265da72bc9034fe

SHA1
0db2539a82be9f50728d87ba825e462e64ac88a1

SHA256
f20af30107e6bb6270b1e7f7d9fb9f035689b9f5ffb0d2a785c99976edc0435a

SHA512
9de4f5b2d14f297cad4e1ae0f69ee26093d28424f4d1675f34dec341ca872775f46faf1c70227d3b8251047e0d35242042ef5a5e1f7f241f29a65140ed025a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMMC.exe

Filesize
478KB

MD5
ce44d2df6d15b37fa44e60e697cd6266

SHA1
04cb8d2faebf9eebc370aa728758cf31896aa38a

SHA256
db52a0cdbe8dcdb821cab1e48c32e1474cf3cf7181b327c6042b7dbdeb0a60d4

SHA512
52bb0ddd2ab670a7df120c61e6cb5086345fca25c03615065eff4a91c4f5b79a0cece54a6558faa1cec69a982b357ca361a13608b49352b90730ac5889476bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAMg.exe

Filesize
192KB

MD5
7a676ba1689e7c35f99a0b394e4fdf52

SHA1
2575bbd4d0dda2544d8a0cb865cd4aa946a58134

SHA256
8cc3d5543533ba4b3c56b3f67e24c9f01b99f9ffa874a14f2050ddefbacad331

SHA512
362f96dc442cdbfcb30076601488666f93ea3fd3c42df5acac670008e82ece42b9b4ba6dcc3453f52bd71e52ea90b95f8a664b1266fe38b221ecd2fe391c8951

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEko.exe

Filesize
206KB

MD5
ef5598dc69888cc08b7440f80ea69294

SHA1
1943e9ce7c756166febe904e3d23d2b945df9378

SHA256
70d9ca06d639093c5b830477b188ef20d3b9e3c1023bb1d82f3b04d7abf43949

SHA512
9215e9581d8f38b00e0dfd40f351342798baf178e53c42c3eb4ab3b39f8ca6aa39d51902c566cb56152233ca87b81ac7b835ecd6d872ee34490229bbae8327d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUAm.exe

Filesize
625KB

MD5
060f11e683215f0d27c7f7e79f7159ae

SHA1
c062cec9069a582b48e8b9ea4deac8e0c863d8e0

SHA256
898204c58a7082addb941286b927d15be031133ceb737db9775fc42fb8cdc0e5

SHA512
96992c70d39e23afc12f05f91e83aa9427d33957581135eb3e937e065b72159f90e771df15dafaae0cd76360e9db7e35776b689b13f745be9511963a1d8df9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoUa.exe

Filesize
185KB

MD5
180f03287af6acc32885ab50310da0ef

SHA1
b80a7eab31a4aaf36a5bd88a6e6ececef913facf

SHA256
f40c80dd88c16efef1b1595aeef20d46ed9c61fc1181d3cf8e54d11314dd2669

SHA512
e6cc2534dece2ed0728706d5224001fb43db1464a84b3ac9556eb19f9233e574ec63f720a7f157a8ac79838694a8dfb20685180ebd471665148ed40b76121b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\usEa.exe

Filesize
181KB

MD5
9817adc9019952a79302aa64e611a0bd

SHA1
41e0aeb33fb07fad58a01d497bf433286122005f

SHA256
28fb48b4f3a4500c43dd947a208f85a148fba0162200d1986acba1adb4334ba1

SHA512
3121fe1daa50823a32683e8c91311ff27b6419cad412bde778b56ad217a0be003d7d0c77583123e323165aa0921a41db80a2de2fe04b64336ee47b51c1d777bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIQk.exe

Filesize
243KB

MD5
2be7e37cc0f2427395c502854491e961

SHA1
a2758370e37bf647692c0796f618db1d566a363f

SHA256
ec0c3d7059daab22d5f118acfc4e3c0d143eae6e2c9b392726c3121c8aa0243b

SHA512
1739c37b7ba427a6e82a633d4c6e95b67261ac7d301e697dde9d0fdd1730c4e992e8d27f5ecaddb611a7d15400a9d6ec4edb6ba6c49a5680aca2697f71d99480

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkIo.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwke.exe

Filesize
635KB

MD5
8e08f57dbe9708a09545a261c3df5aca

SHA1
b9791c943211d1a1e60fc7df45913476631d1f72

SHA256
886f6f0a451c74a00fa1abfae8134ead2a129cf11e2d7f9a1035d348abb05f37

SHA512
ccea7af3148952d83d6b0c07e80ff759ca122658afb4420ce7da3a66cb28a635d76ddc4e1ce9becb7585dcaabe32ee64a4bf14a600f9281300eef3188a65da78

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMoA.exe

Filesize
214KB

MD5
b1cb83aeaca0d18dba46dcb9cc81a5fa

SHA1
324e637d9c3d1903c7394631df861b7ef4f9990c

SHA256
a98fa99f86bf056c132b2484db450263519175911a92c342ad650b73899b0d5f

SHA512
12288ef350c7e39f75e68f6a741151ca7ad71a44ebd5bd79804375ceec8822fb3654abdfa16c2aafa8e2bc74dbd076de9f54703315ac15081d2d0df27f3c9c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywco.exe

Filesize
229KB

MD5
0113a625ddb9b8b83bb624d9b8426986

SHA1
4808dd920c93356d5223c689e243a3e0590bc180

SHA256
3a48279d85a0d86c6a8b3bc3d4fdf4e48107901bbee8e9453a8bc694dc5f76e0

SHA512
6fd040ab25fe2f7f2f0f7eae1da6b9b8f17292dc01da0d8887ea8310e16480cd4873fe6701cfea8612a80c3dc89deaa5ec23f17abca9a48b50343f25ccb8092e

Download Submit
C:\Users\Admin\AppData\Roaming\ApproveSkip.pdf.exe

Filesize
938KB

MD5
63a23e0c2faab9befb239554b5b532e0

SHA1
8fa393221d9c27a01164073a9e590c11958eea3b

SHA256
3c77de3e7d12e8727fcf293040068093c40684ed8119d0feb4fd5e5d31da6c1c

SHA512
e7ae3ed1931a313ac47fc9ade342c572fca940a9d7650ba688cd625dfdb22a7e3dd5618065dad74b95281202a7a99877c7a9de1340f692de88ae75aa55fad3f5

Download Submit
C:\Users\Admin\xEUAQkUA\MuAEsgUQ.exe

Filesize
198KB

MD5
d9819d8b25865e26e25d5aa005c5b47a

SHA1
12bc9085cd7d24da13f1b1c3519eb6b0f6039bfd

SHA256
554b2a20c79a79bed5bc98c470282538ca47cbf2cbfa1f001b20bb826426d6dc

SHA512
a3633dd451792a13b1d65bd646340af9e8b13f5ef104c92626cfca50efaa654decfca4d2abfbecd51732ea3cce5f0188db2bfb6cfa8ca3f7c0e11b814b1e2023

Download Submit
memory/316-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/640-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/640-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/732-564-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/748-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/748-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/864-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/944-543-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/944-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1140-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1140-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1192-301-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1192-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1384-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1384-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-474-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-486-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1892-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1892-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2012-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2012-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2168-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2348-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2348-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-524-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-515-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2760-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2760-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-295-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-282-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-432-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3592-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3592-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3724-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3724-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3740-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4088-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4088-277-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4164-385-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4200-533-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4200-457-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4284-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4436-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4612-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4612-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4616-553-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4616-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4632-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4740-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4928-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4928-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4956-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4956-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4960-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4960-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4964-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4968-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4968-516-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download