156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60

Analysis

max time kernel
150s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
Size

205KB
MD5

718aa9360c9b9167fba74e98a4269156
SHA1

ff2e1027a12c8be2b4efccf03e4bc1bbb934330f
SHA256

156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
SHA512

44f636a161ad26935c878d6d86368f361c8c21088339f80430e9dcdeca8eb71c345509dfe97e388b954c93369a25940fe7e0814595ebd84ac98482f322c995ad
SSDEEP

6144:IQa17oXxiEh/yJghcs8wmlWwBTy1n71+KlKbMyC5Blp3kKyHSO32xwArJikpkVOZ:I7eBhh/yJghcs8wmlWwBTy1n71+KlKbA

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (74) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	pococoIE.exe

Executes dropped EXE 2 IoCs

pid	Process
3400	pococoIE.exe
744	BeIIUIwE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pococoIE.exe = "C:\\Users\\Admin\\eeIkUIoE\\pococoIE.exe"	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BeIIUIwE.exe = "C:\\ProgramData\\CIUQoQsg\\BeIIUIwE.exe"	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pococoIE.exe = "C:\\Users\\Admin\\eeIkUIoE\\pococoIE.exe"	pococoIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BeIIUIwE.exe = "C:\\ProgramData\\CIUQoQsg\\BeIIUIwE.exe"	BeIIUIwE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IiEgkQIM.exe = "C:\\Users\\Admin\\JkAAAEwU\\IiEgkQIM.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SUEAAIsM.exe = "C:\\ProgramData\\lAoMQcsw\\SUEAAIsM.exe"	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	pococoIE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2504	1448	Process not Found	1866
2072	3288	Process not Found	1867

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1692	reg.exe
400	Process not Found
3112	reg.exe
5072	reg.exe
4980	reg.exe
4972	reg.exe
4064	reg.exe
4748	reg.exe
3344	reg.exe
632	reg.exe
2216	reg.exe
1368	reg.exe
4412	reg.exe
4996	reg.exe
4624	reg.exe
1620	reg.exe
1904	Process not Found
4388	reg.exe
1764	reg.exe
3020	reg.exe
4728	reg.exe
4252	reg.exe
2532	reg.exe
1940	reg.exe
2412	reg.exe
4956	reg.exe
4992	reg.exe
4620	reg.exe
2544	reg.exe
988	reg.exe
2772	Process not Found
3692	reg.exe
4980	reg.exe
4884	reg.exe
2476	Process not Found
436	reg.exe
1056	reg.exe
1552	Process not Found
4428	Process not Found
1756	reg.exe
740	reg.exe
3212	reg.exe
3632	reg.exe
2752	reg.exe
1544	reg.exe
4592	reg.exe
4612	reg.exe
536	reg.exe
3244	reg.exe
1004	reg.exe
736	reg.exe
4984	reg.exe
412	reg.exe
4964	Process not Found
1652	Process not Found
4404	reg.exe
760	Process not Found
1368	reg.exe
2468	reg.exe
1944	reg.exe
3244	reg.exe
2908	reg.exe
5060	reg.exe
4704	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1956	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1956	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1956	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1956	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2380	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2380	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2380	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2380	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2312	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2312	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2312	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2312	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4712	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4712	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4712	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4712	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4320	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4320	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4320	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4320	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
592	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
592	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
592	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
592	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2280	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2280	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2280	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2280	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1620	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1620	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1620	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1620	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4500	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4500	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4500	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4500	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4804	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4804	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4804	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
4804	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
752	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
752	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
752	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
752	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1824	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1824	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1824	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1824	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3400	pococoIE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe
3400	pococoIE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 3400	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	81
PID 2472 wrote to memory of 3400	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	81
PID 2472 wrote to memory of 3400	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	81
PID 2472 wrote to memory of 744	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	82
PID 2472 wrote to memory of 744	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	82
PID 2472 wrote to memory of 744	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	82
PID 2472 wrote to memory of 116	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	83
PID 2472 wrote to memory of 116	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	83
PID 2472 wrote to memory of 116	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	83
PID 2472 wrote to memory of 2276	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	85
PID 2472 wrote to memory of 2276	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	85
PID 2472 wrote to memory of 2276	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	85
PID 2472 wrote to memory of 4064	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	86
PID 2472 wrote to memory of 4064	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	86
PID 2472 wrote to memory of 4064	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	86
PID 2472 wrote to memory of 3112	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	87
PID 2472 wrote to memory of 3112	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	87
PID 2472 wrote to memory of 3112	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	87
PID 2472 wrote to memory of 1520	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	88
PID 2472 wrote to memory of 1520	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	88
PID 2472 wrote to memory of 1520	2472	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	88
PID 116 wrote to memory of 3036	116	cmd.exe	90
PID 116 wrote to memory of 3036	116	cmd.exe	90
PID 116 wrote to memory of 3036	116	cmd.exe	90
PID 1520 wrote to memory of 3656	1520	cmd.exe	94
PID 1520 wrote to memory of 3656	1520	cmd.exe	94
PID 1520 wrote to memory of 3656	1520	cmd.exe	94
PID 3036 wrote to memory of 3520	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	95
PID 3036 wrote to memory of 3520	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	95
PID 3036 wrote to memory of 3520	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	95
PID 3520 wrote to memory of 4924	3520	cmd.exe	97
PID 3520 wrote to memory of 4924	3520	cmd.exe	97
PID 3520 wrote to memory of 4924	3520	cmd.exe	97
PID 3036 wrote to memory of 2076	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	98
PID 3036 wrote to memory of 2076	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	98
PID 3036 wrote to memory of 2076	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	98
PID 3036 wrote to memory of 4208	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	99
PID 3036 wrote to memory of 4208	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	99
PID 3036 wrote to memory of 4208	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	99
PID 3036 wrote to memory of 4780	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	100
PID 3036 wrote to memory of 4780	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	100
PID 3036 wrote to memory of 4780	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	100
PID 3036 wrote to memory of 4108	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	101
PID 3036 wrote to memory of 4108	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	101
PID 3036 wrote to memory of 4108	3036	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	101
PID 4108 wrote to memory of 2704	4108	cmd.exe	106
PID 4108 wrote to memory of 2704	4108	cmd.exe	106
PID 4108 wrote to memory of 2704	4108	cmd.exe	106
PID 4924 wrote to memory of 3288	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	107
PID 4924 wrote to memory of 3288	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	107
PID 4924 wrote to memory of 3288	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	107
PID 3288 wrote to memory of 1956	3288	cmd.exe	109
PID 3288 wrote to memory of 1956	3288	cmd.exe	109
PID 3288 wrote to memory of 1956	3288	cmd.exe	109
PID 4924 wrote to memory of 3456	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	110
PID 4924 wrote to memory of 3456	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	110
PID 4924 wrote to memory of 3456	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	110
PID 4924 wrote to memory of 3968	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	111
PID 4924 wrote to memory of 3968	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	111
PID 4924 wrote to memory of 3968	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	111
PID 4924 wrote to memory of 3708	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	112
PID 4924 wrote to memory of 3708	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	112
PID 4924 wrote to memory of 3708	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	112
PID 4924 wrote to memory of 2368	4924	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	114

C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
"C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\eeIkUIoE\pococoIE.exe
  "C:\Users\Admin\eeIkUIoE\pococoIE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3400
- C:\ProgramData\CIUQoQsg\BeIIUIwE.exe
  "C:\ProgramData\CIUQoQsg\BeIIUIwE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
    C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        8⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        10⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        12⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        14⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        16⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        18⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        20⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        22⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        24⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        26⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        28⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        30⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        32⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        33⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        34⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        35⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        36⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        37⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        38⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        39⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        40⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        41⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        42⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        43⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        44⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        45⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        46⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        47⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        48⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        49⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        50⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        51⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        52⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        53⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        54⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        55⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        56⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        57⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        58⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        59⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        60⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        61⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        62⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        63⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        64⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        65⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        66⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        67⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        68⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        69⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        70⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        71⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        72⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        73⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        74⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        75⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        76⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        77⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        78⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        79⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        80⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        81⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        82⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        83⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        84⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        85⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        86⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        87⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        88⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        89⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        90⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        91⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        92⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        93⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        94⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        95⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        96⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        97⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        98⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        99⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        100⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        101⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        102⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        103⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        104⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        105⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        106⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        107⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        108⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        109⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        110⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        111⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        112⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        113⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        114⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        115⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        116⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        117⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        118⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        119⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        120⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        121⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        122⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        123⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        124⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        125⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        126⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        127⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        128⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        129⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        130⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        131⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        132⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        133⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        134⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        135⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        136⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        137⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        138⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        139⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        140⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        141⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        142⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        143⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        144⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        145⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        146⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        147⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        148⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        149⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        150⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        151⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        152⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        153⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        154⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        155⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        156⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        157⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        158⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        159⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        160⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        161⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        162⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        163⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        164⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        165⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        166⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        167⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        168⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        169⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        170⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        171⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        172⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        173⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        174⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        175⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        176⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        177⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        178⤵
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        179⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        180⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        181⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        182⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        183⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        184⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        185⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        186⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        187⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        188⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        189⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        190⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        191⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        192⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        193⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        194⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        195⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        196⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        197⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        198⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        199⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        200⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        201⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        202⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        203⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        204⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        205⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        206⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        207⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        208⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        209⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        210⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        211⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        212⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        213⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        214⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        215⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        216⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        217⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        218⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        219⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        220⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        221⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        222⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        223⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        224⤵
        
        PID:1756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        225⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        226⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        227⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        228⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        229⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        230⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        231⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        232⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        233⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        234⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        235⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        236⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        237⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        238⤵
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        239⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        240⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        241⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        242⤵
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        243⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        244⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        245⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        246⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        247⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        248⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        249⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        250⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        251⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        252⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        253⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        254⤵
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        255⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        256⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        257⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        258⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        259⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        260⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        261⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        262⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        263⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        264⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        265⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        266⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        267⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        268⤵
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        269⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        270⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        271⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        272⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        273⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        274⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        275⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SowIAwQs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        274⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGgAkcoo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        272⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:1188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        Modifies registry key
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziIkkowk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        270⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSEskcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        268⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        UAC bypass
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xawMgEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        266⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgcUUgcg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        264⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKsYoAAI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        262⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqsEcccc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        260⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIcgYoEY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        258⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lakMAkAc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        256⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKAIkksA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        254⤵
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeckkEcg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        252⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWAMUkQE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        250⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEooogok.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        248⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yggQskQA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        246⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awMIcAAM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        244⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUwwAMQw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        242⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:1728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DywQQkcA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        240⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEAMsYkM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        238⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmwQYgQY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        236⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMgQgMEU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        234⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOMoUgEM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        232⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyIQQwEY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        230⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IukYYowE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        228⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugUwcgYg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        226⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgUMcccA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        224⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkIEscEU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        222⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEIwMIsk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        220⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmYYcAII.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        218⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqUIQQkA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        216⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyoMIoUs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        214⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WawkwMQI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        212⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COcUIcYA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        210⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsgEsUIk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        208⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkAoskAk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        206⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToUccEEw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        204⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZggQIskg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        202⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUocAkck.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        200⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQkQEgAE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        198⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAAIoQYU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        196⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwMYMEIk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        194⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIwIUQgo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        192⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCswEgww.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        190⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RioMIogg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        188⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POcMcAoI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        186⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feQoIYQo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        184⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKMYYEww.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        182⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkUIgIMs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        180⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwckUYUo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        178⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsUcsIks.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        176⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGMEEYwY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        174⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGscswUk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        172⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyokkkcA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        170⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViUEoAwo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        168⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUwoIogg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        166⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssUsEowQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        164⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccYccwYw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        162⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyYQQwAM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        160⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUkAEYgc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        158⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqYIwgkc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        156⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgYgMUUA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        154⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCwUkwwg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        152⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQswsIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        150⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQgIIQow.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        148⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIwwEkMI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        146⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmgEAIgI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        144⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NowMcAcY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        142⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsoEoEMo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        140⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGIMoQEc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        138⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VakIoQQc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        136⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgwcEIkg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        134⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skIIcUwc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        132⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcYMYAAY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        130⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsIAQEII.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        128⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkIEEgAw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        126⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGgkAMcI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        124⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imMcAEgs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        122⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUUcIkwk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        120⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqAoscks.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        118⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwEMQwUk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        116⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgIMMckA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        114⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSMUgsIA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        112⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeIMAQMg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        110⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOYQosAY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        108⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGkYIYYI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        106⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCQwQocQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        104⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYkIEMQs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        102⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwQskAog.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        100⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biQQsAQs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        98⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duQwcwMg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        96⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmkAMAwc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        94⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYsAMogE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        92⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUwcEYkk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        90⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZScQkIkw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        88⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCsEEYQs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        86⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwEUUEEg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        84⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEMgEIcU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        82⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iasUwIEs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        80⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEwIEQAM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        78⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgUkkQsE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        76⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUAAAMoE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        74⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQQoAYkM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        72⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEYUgwAA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        70⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEIMEoIk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        68⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgEMsEIU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        66⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGsoQYwg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        64⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSUgcsgg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        62⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOkoYUUE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        60⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUkUUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        58⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWMUgMYI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        56⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSsEoUMc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        54⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgMIMsMo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        52⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIgIUEkI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        50⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsowwwsE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        48⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQooMMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        46⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HesQEQwU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        44⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkIkIckQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        42⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeEQMkEE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        40⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsoQoAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        38⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciokYIAE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        36⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYooUcAE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        34⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeUkAUcM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        32⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCgQgoYE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        30⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZessAMYA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        28⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAkwkoYg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        26⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYkoIgkk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        24⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiAoAsIw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        22⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoMIYkQg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        20⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOkskYII.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        18⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgkAokos.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        16⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcoQwoos.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        14⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEIIswUU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQkcccEY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        10⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyQYYgok.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        8⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1728
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3968
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwIsggME.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        6⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2076
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqQssQYk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4064
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUMsMcYM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3656

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv dNBnIYyR60GK24wPX2qYKg.0.2
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CIUQoQsg\BeIIUIwE.exe

Filesize
186KB

MD5
b66f8e6a8e7bc8ae6a0c997c9c7efa90

SHA1
c97be14e7b993f40ec29816825605f4e485864f4

SHA256
2ff2cf9e8e737f92cabaf135a8d707844f5784bcb1c9c15bc163c0c64958f65a

SHA512
b2ac1a8ed2f9e10d8cdecc2e313695decd8ff901e6f905bc132301d5e13620f981cd74b680e6aa151d51a707699246ce77fa5dcb013e18af0f61fdeef0b4b463

Download Submit
C:\ProgramData\CIUQoQsg\BeIIUIwE.inf

Filesize
4B

MD5
562d530ee3b3e50af6dbdf41d2831e3a

SHA1
561307549eba2284bdcc39a598f6bd5c924cad6f

SHA256
c1caad64e607d9bc30c9b4650a98f07ab682fdb8eb7df49eee6edc47dde83e5d

SHA512
1479ac78c9f9a2a19824ce0a9447ae07983516f69f38a859f99e57948166151795678ecbf6519cb715e043d2e70a95a4b1427a4d833744a9dee4705eb09b8b5e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
313KB

MD5
66af0c376b765da1e0656e67296eea2c

SHA1
f5a894c9a8ece5c2245511b8786e09091e985608

SHA256
fa73cf10383ea58ce059fa73f88029563134443d35bc61e34ac43c8dee866d39

SHA512
2424a840319d17c6c1514e410d04894fcfaefed1e6d24b4b532aa34fee79e806e1fa204e0bea6e4b2f1bf522cd32d841a4c03c3c582bc50f421597b937fffa44

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
231KB

MD5
7bb12b3e1c328036c25b21d51107874b

SHA1
dbf29e9b61c05f60c0e8c68e210888044dc658a6

SHA256
a6727adc7a7d002e5d60bae1b6f2f99dc1c090ad4dfffbc3c60076a5ff342ba5

SHA512
bb3dfa1340d8d620d5fa827da95122b98c444cd361c22afaee968f0acf54d2680888e9900f8574308bd559641bf2d1a80fee2da5f6bd5acdcebad5ceb2d11465

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
305KB

MD5
1a6af1a4588de6d743300511fe606415

SHA1
5823ebebd716dda3997ca0eab0a6e9967165a07c

SHA256
1a31b2358f135a9ef7eb3eb56dec92c3920fecf01c53630922215863df1fb007

SHA512
ebd3408bc4d787d49cc387671199e7d289e4ca15a34a21f2220e06b7b23340cb443b919d560351819fc1b26ea2243fcdb0bc48e3d6c0bdefca85c70a04587b53

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
821KB

MD5
e95f1d3c7c3a39bc45dfa36f1495a9c0

SHA1
5b2f1f7ce1f295dc44f0ed6a8dd8416d4dadc848

SHA256
e4b49e51c6c6c4644b736a2657424808a3e417e1bdcf537b505024685f687f74

SHA512
8d472ba3baef9594cc326c09c265dfe8d40db6a30539d7e1d3a042344735c273aca3364d9e3e6fd1ee417e4cb6d0ce32c71b631598b79b03c84760c1cb3d2634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
201KB

MD5
6747d71ce9769bb547d271d3b6c7d621

SHA1
1248d3bda2e369065937eefb031fd2903f5ff713

SHA256
47d11aa70d75228b36b7841a48e68b96eeaeee075e82bfc81062fec1affff682

SHA512
b906c2c68ab4c21535dadb8433c39242ea235dd9f7f1231ccee1c75e11b9cc81a5a0ae6b5bf02b730879666d93b8b3c3d814564273b658d492814b98afd57d87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
188KB

MD5
a58f3369501b7180c6ae3657140accd7

SHA1
4da2c309cc420c3db268ecd0e676d030f6187b5f

SHA256
72c8184d32dddb4ee6e1e78790e836055545c10e80e3c128efbaaa4abc709753

SHA512
49e0b9d2dbf55eec03aa3bbfa21fd0a3df814a7609630a89971fb879c939badf6ce65c6b3c70d3093ac2cd2ce803ef88d32430b27b5c0a58646b94366ae3ce18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

Filesize
182KB

MD5
7bca7f6b209dc57bbb2598c2f6c37979

SHA1
71d44ca9bfea6deb5f8ea81a86475762c3158771

SHA256
0330a4a9015922f078d838f6750232b2602bf27d584523ae733949d8ca80e27d

SHA512
15c7dde933872b3e079b9162c1c71da322cb628ab97e2efc0df2c46458d6db71628de49b115a228e50699101da94d8c21f7d936dff2a677df908f23334789045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
204KB

MD5
01468fc09fcb85fc19b02a12be851ada

SHA1
ed0a162eb63dbfa4a30dcb29a635b1ba132568fa

SHA256
d729411eef1a62355cc66cbf97cfbfeefc5be7a99d16cdd32e6ddd82d7e862c5

SHA512
0151c672641bbe1773d1241bed0ddce60b564560e9d364aa86885932cc9af64addf91af6b998230bd803d3bab39d430aa36a76c2dd4576b420718eb126a4153e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
207KB

MD5
854d3acc6587ad0426e1de0e59c5a85b

SHA1
fc07565635b7a733b2d49a0e4f9d5892d5f2e46a

SHA256
d0a5092107839231c34e0cbbb8cd160f3a2f212e36c62bdd0e41c4f6780345e6

SHA512
905493a3a69f380f1437cf0c0512537f8891b1b519668bf97e543f9f168792a143fbe994837f35083272e2051d5fdb01d000fc0a1e9f7f99d0053641edaca0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

Filesize
188KB

MD5
88d4095e629fa07b004971dabdbb407f

SHA1
d7b036e32c7e58fdb5a44ef75bfd3d68cc5d78d1

SHA256
e083f366dac62876494f7648335acaf1daabf8a0d3cbaca8215dff2bccebfeb8

SHA512
d3a92b8219e13f372763a56161e7c26eb75f2e253deb16d79dd0c38db5887a577ca268218b298cbe2eb480f8c4aff58f3c65483f19a409d66ff5a36fae065176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

Filesize
195KB

MD5
7032aab82969aef05f5b930131dfc0e0

SHA1
60d66209f60a1b764950ca2006d3248b1785886b

SHA256
a75cddda4baeddc03ecbce884c93c348a377a973c48a3714e9f2325a8a6e0905

SHA512
2f72092289aaad8b882f10442705deac1746028f35f16cf8c1738a89f37745ca592a731e4fc0afd1c6b0177f333bb9b42d5c42694c59ec2885985305463212c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
184KB

MD5
1d95171166b13d0184d8e4cbd5933339

SHA1
071dff72b38808176e09bf07354a2762c57f41b9

SHA256
d6d38e482fa000d64adac0f50987dc49c38d070e3db4251e01e0f71d9707c6f2

SHA512
324d4ee45d88df33e701f60e08aa36e5b983dda367e699be9516bd517ca21a701634b309550250968210db42a94f0af5bd3c2e098530135d24b5fee8ce0d83c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
202KB

MD5
068412d62a0b86bd5b88ccfac28337b5

SHA1
ed757f98ce8eaff02397795c5f7e5e149dd8d209

SHA256
b7bb8d3b4e83f0bbc2c2a0d63f0c42000564f30c05919a34230eb2e08712f5f2

SHA512
e47d74fdef7967c15eef32b82164343c29ea269c5a128c46e4b3e06edd0fedbd99171b68dc6d1001935dcdead9324a3f036665ac0c84bc37d3ab9bbb22366964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

Filesize
180KB

MD5
03b5d2f0eca117f9804283c85bdbfb3d

SHA1
fa6f87357360d6a25f48e894c6421c5fc2396913

SHA256
dfceb148ba747b7d1c24d743bd52969cd90e8773224917055ea5451b5df6fbe9

SHA512
7bdd6b55d89c1a5380de665958674b8a1e6a743ac53732d8e01202a2fc25a4d86d6dffcd8ce021f335674800f661420492e3196052c8f4f47936aa52312005e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
199KB

MD5
e686967817fbdffc680502efaf258e48

SHA1
a188554bb1da42a91fc689ccc44d40f8067b2afe

SHA256
534e753ad9a519b72a043afe02b0cf956523716f4249973047e1579203b8a2cc

SHA512
9c0ad91f2ee96b91427f54bcfe130b2e9626536e4c1e01f9f35f515f195eb4ca7372e1ab1302e6497a267cee469f00ec65a9434f67a912c85391f13e438b4533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
195KB

MD5
91909f94af3d528e5ac9f2436e736c19

SHA1
71468e904b963360a07210e1c2aee54f49a81ed7

SHA256
232e674cfa3cbf26b3919cd067ea39d8de705c9986d6ed2cd4b4e09b62e1fa96

SHA512
2319b84323cf14e40c792e103d899648bc38b313288861582289c73ff26d748a1fef6685203059073abab6263dfde7928eccf5185bb5a5193409b8bad79bb10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
194KB

MD5
6d3fece2b63305d3ca5c7861dd110f8e

SHA1
c4b2cb3d484c0818dfdd76fc1ce4afa86198b44c

SHA256
3403a88907c25b7d323a77f4758992e52ccac8f33b22d5fda2b4fd7fb0792356

SHA512
6123914b51c21a3caa2d291bb5c8b34c5f597a1562e8cc3a4e26423669dc59bf50ef3285b116fe5e9386f9123121ca02e547c8380ff8ec9bdf4c9e75c71f25b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
206KB

MD5
f0c13c636915d742cfeaa5519b0d6a7d

SHA1
4cd6626cdb2ba651f6e7ff364bbec887786e2b0e

SHA256
65858017bfc99c55b894221155e55910f2f63ed9540276128e4cf36bddbcead2

SHA512
10e3aa8b4c04f6a358772ebde923046b2650a21dd04dd0f1ea5454109e65f1895faff47d5e57d2f2943b81584e5c6bcb0b887c4adb4d4738a1d3f309ef57ea99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
214KB

MD5
6802395c792c63793a0b77780ada2cc7

SHA1
874d3f5cdd349bb32bbdffebfc4e506e7e5bc0ec

SHA256
a6d5ee91fd3169e62ef1a1275350f5d96eee69447d02ace1094e7bd85c428a76

SHA512
12349391bcdbef39819421467e9a6eacb3ddfbb51ffaa77c2cdddeb781d4e4f17a4ff4b16ce070e4cd64346b54e27697234738040aa6da05d0f0f09db6b46662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
203KB

MD5
a149e715b56202e1ea4a0c16b70fa635

SHA1
7da7868e6fb5462c567478995868b5e5b023ae86

SHA256
97c9f01f1a4062e7dac3fd6895008589de994182a968aac92b7c1d6bcb8fb1a5

SHA512
e332168ccb6dc6e7fedf5819420949ffddef9b0e50a0b44f42606c9f76bdbcc207a610e1e82fc3704736eabef57f019849e180b9f3873214bc7361f9cccb6bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60

Filesize
4KB

MD5
326f39263fee1b9a53c578b4dbd67233

SHA1
5f9d41ba6319890ac3a22b16c0a937cff7f8b13b

SHA256
521340bf028202202d35a2bb614a5ecad9caeb2152b055dbfd6bc8bae1a757a0

SHA512
4708bcd37632de8e0070a206bdaff1af0a1b080a3f53142314b0bddcef571e65aaf74cb52eff51e6e55bdfd0d2fb4d4bb1e7430015c8f409a69e1ef5efc19805

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEkm.exe

Filesize
207KB

MD5
b1ba6e67a0e63b6fce6f3149f93abe5f

SHA1
675d8216058894ff296a1ede6bf949ace41554fb

SHA256
07d2189d822d0f544deb385761cbb8c71d6926cc335daeb651f7e3f04362b229

SHA512
7ff4dca9a35b4a3eafc2320afec3c6188e245373f1c78c89b516c8e629879a8dc29d71b31f65bcb80c496fa19fc300ae082e713fad3b366525a6f990a30eee8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIU.exe

Filesize
227KB

MD5
d769c41893e6131fdc904bd6aec52a93

SHA1
c05ea2bb424214cc11520561f4e9db6e62021602

SHA256
aef11fbb8a1e8484268c9b213e0d4ac67fc6addae36f7c020dd7894414dc9958

SHA512
6ca87459e18a7c5bd3519d139d354e00045fc8a127d45080de6d1be75527e57ae0d3bcc674a2e04f34e480b161769806f63f054e25609fc41c4c248d4404d7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMkO.exe

Filesize
190KB

MD5
2261fc1a99904135bd68a907db091e06

SHA1
a60383f922e2b35fbbc52060139e528cf5c7bc11

SHA256
38a308aa1a90c868f6c60f09281c9d0eace8ebb0abd9beb20b73d18df505b506

SHA512
78064daedeeb1251cc885fec624d1c42bccdbef3e12f2259230470bb9561982d1d4b407a2107f9461d7ac75701bf584f8393e34afae77a1bc46adb531db3c153

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUcS.exe

Filesize
833KB

MD5
33f76698cadd916b7bba9e967665eb41

SHA1
074ce3c885262817103575fd54411ec599d50881

SHA256
a1d3647476181b64461e9814707a5896834fdd29f306d2ddb8b702aa3508d9c8

SHA512
8540aae0ec50409f22c0bda0052db7f1a137e215932268abc3aa2df2de4ce183cd3104369e15d7d06f7a1d39c30d7989a04f5862ffa0ecba8c3434ff5f601733

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkIs.exe

Filesize
189KB

MD5
7d24a59f2fc371df10e3a480fd1c6779

SHA1
dce21b62adb914e15480918d9dd85380058e4373

SHA256
f22bc5dba1d289287bce986c078aab65f64572d2f821ff1a9f5f5a64840ae551

SHA512
09370281939e0e5be7e362713d276249f4677295d923419af2050083a17f7eb14f2247109e15101b635342d1bc06b60de1cd9e6a5998df597e3fe341b07e2a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\AogI.exe

Filesize
199KB

MD5
66043fb95eaa5b94d382a8119c1f2156

SHA1
fc3e691d910fc4e9a0b1ce9ef5a37e584a942887

SHA256
6d2c8238b228890b1f9231e6f45f78b5972192de1feed2c36d17f29b0c6967c7

SHA512
c07b880a7add52558c6d1f375b4090f87227d4c72428f7f604ad70f9d59e862fa8106ebf5ae1a8f7294aa8ace87798192ea65425f6d08c03279d4acf58b5c03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAMS.exe

Filesize
182KB

MD5
670fd1ba8ff1c3f519fe7ecedb3375b1

SHA1
9abb7b3917f962a0d17c2c7d4edaff4dd2f58e69

SHA256
83fcdc0341ccbb83a30ae9b0a96bc22b55e7f76a964e3bf9b8e098fa88926a02

SHA512
0b4620938c823507d5e63eabee9caf1ba8df6390b5976ebcf07e994d0379fc29f0fd1599ef86d17863d9a689be3a4ce793b1a83dc8ecabb49f3791cab37e4a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEgU.exe

Filesize
796KB

MD5
d2784d36123a4b0aa4841e038abe2bad

SHA1
35201e94e84d11f1c8668404daab8dc374064186

SHA256
651c38427e777ff9d108a7712cefc1dc6c2b3989adc2e10ee475215633bc6ee7

SHA512
7b94d09aadcc5871a42bca77be82bc3bd9e733b7ad3f616b9dfb1be4c5e069ea7a64dda854826918ccf85f5fe1334e375db402256bcf29e40abb4ebe30f30927

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEkc.exe

Filesize
808KB

MD5
73eafc321f518e194ba397b6e25d6313

SHA1
1a4b8fefc94863bc3daa4f31ea248087aef8cbbb

SHA256
893e79d5203e486df14cde30885a699d1a0eba571afbc3da5096f6696c7a43ff

SHA512
ec88ef8c1cbd2e97390869b1347bb5665fae57295d64eb08abe078c3cacdaccb011a350c0510d0ce30e4fd36a8ec28e78256dd76cfaa772eb338605629e91717

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYsm.exe

Filesize
196KB

MD5
33a8d52f4e05bbeae02cb3329664a881

SHA1
873e48b266eeb24ce8ba1a70ea7db8f784bf279f

SHA256
fdbef6f0a5b66e18172b0be49ab83b0a5be3bf9d5e29858bc98127bc619ecd42

SHA512
2076ab86f0288be39ffbd6c9c070c86e2a53da433a0115e663aabb0ec260328566aafdf5ac0bc433e56a264325e2daf037f560fab115c35d0f12485f909295e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EckC.exe

Filesize
209KB

MD5
4fbd0563bfa862b383c3b200b2d8ae6c

SHA1
85b41827f82365defc041c8f49b43055b0c94b8e

SHA256
903dbf0eb3fb39b93b2b56c0024dce8e638f4ab42b0ed03a95a175a21b9dd522

SHA512
b255601709e910deb3a923593f5fbc658bb3a3a4fa848c324d463e1aea3ff00bd1205b169a6e99339ac2319c5d2c4f1dd31cb9d3130fca745fb0b29c01e29e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAsI.exe

Filesize
380KB

MD5
cff4fe885093057497895649e624f504

SHA1
070aa50770616869a71fd72081d1c6032d470ad7

SHA256
03fe9daf3a204e655e88340529140e6bc6843f779a710846dcd647ef2579700e

SHA512
0252426de85859c3869ece7cf637b027030f59f33c3fdea96532d13635639d308070a78c25637d1672852cbcce900a11fae716be93e284420d475a5008d9d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GggI.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIs.exe

Filesize
624KB

MD5
a22ed6ccf190b5bb46d4644556fee53b

SHA1
26984412b9cf4c4d7c4fbb6d5bf9975d853df540

SHA256
5ec0de6354b6e15b682dea2a3c5bf225db78b0100ed142f6d3f37cf65bcea4e4

SHA512
5bc044ade2eefcdc337063d8717fd74a229336471b75c2da1590a15560cb50bb1f5590ca03693cd5e356582018e38eafd0cf12d14ed98ed2d6cd106d3c857c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEUK.exe

Filesize
189KB

MD5
2d368973227cfff28ef0e7241ae4001e

SHA1
76c5a06bd15a574f24c9b77b6a9ebdbb5fc82cee

SHA256
b12e075e63ec3708a4b4101bd5a9c9a68c8e2157f32870f7f68b62bad0a41b95

SHA512
5bed2073be9e32e8675b0f95c7f7b9db3f742a7b106ec67bbff6e92f1b95670b943bb732c672378726ce386daf02af44cd2452decb8a88b728ad47625f7f080d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIgo.exe

Filesize
192KB

MD5
19032db28ca03f6bce61f5ff9a9111fa

SHA1
8ef933425d3519fb4b28d9d6c0450e7d036c0005

SHA256
4afe50621d5c05eb2e5a1965078b4774b6261270fe7f341b56d1b8a436753584

SHA512
c6a172a70abfc5259ac93ffe2a11724fe58fc9dba4f53a1f56bcd8825324dc22d8d630e2902504952259e052af3e837be3575bd6b304bf5ddc2834802865193c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IscC.exe

Filesize
189KB

MD5
70e4f0782367fec3ebd0ca5e1508b767

SHA1
bd9f3cb18480a9bdc2eef3ade74ab53787c889fd

SHA256
104a8f8574a0637df3442bfa4a1e1d76b4b7894a51fddf0be0bd20aa839ab0aa

SHA512
49e5f3181dd0ad569924d658ec141ce3ae05e398535f7e12da11fa75beca57b6bd808be30d34349a004cbe37ff470843e4195d6ffe784a0d60c4f09c0a95ace3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQkE.exe

Filesize
193KB

MD5
a84d28064260fc903844261772a16d08

SHA1
9e965fd488a57d95fbda99cde3a0e52883383605

SHA256
5ddd799a8dc2d81688e7216abaf59ba45faee5c2ea631c7152f10a10e7a25d88

SHA512
d8265a58256ec52b1844ad71ad5e8914a50c69eae168583054eeb672472409b1dc1b3b4b471ce2d1ea433a5daa95dfb56f30796e428ecd11c2b1e4474736be29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kckw.exe

Filesize
772KB

MD5
7707240d91afcd61833b4f67db4828fd

SHA1
fb0a000c95e22e5fcaaeedef7854e9bc9c6bf819

SHA256
8151bad8a518ff4ed797c2256d2228cd582bae98779a5711d21d36c4c7bfa938

SHA512
b8abee8e7812fbd706f85caa2de9de9583371943dd4af58c32020cdb3587e75b4669cfdb538d18419ee1fea821e847638abfeb4bcd0f264de0ecfe597bea88ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIMa.exe

Filesize
585KB

MD5
e7497660c149acea1dc04e9c55a00b2d

SHA1
b965d57b49c3b90381f621f9daf32f41656b2b5e

SHA256
ddfff1e15167910084de014acdb3639a893b4b61eb5a8180bf8ec76aa0918903

SHA512
b0213b38179d2b0010e026cfd925f865e10a60daae9f3df77ecbd4d403060e5e676bb448bf2c581e54ca6ac1ba8fda529b813f049e7f6c49c1f7972f3fcb0b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUkM.exe

Filesize
646KB

MD5
5a7595f44ebe059862f56350981c9d26

SHA1
b6196fc8dfeb0818a3cb5ddc7d6b63c58f9d92d1

SHA256
f974dcf70cc0ed06885368c17d5c749a8ad8512795689f308e0128195d45eda9

SHA512
be799e0b108376be7cee6b1e5fa7d8bacb1dd61a11169a2886ff6f568db45f27544309b92bfea52c5c897eedf9c704579cdb625ed7613fb2c25f13bf673dd1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUok.exe

Filesize
197KB

MD5
9669eb3f49f0e31e6d6d90c43e093f8b

SHA1
dd09d76ff77bd1ade7002105fab458e088c1285b

SHA256
53165133bc25cb0713b6ecf47ff067aba41f8268e9ea86b32cb8a824bbeb897f

SHA512
3ddfe9bfd4e029a699c77a4aefffbd690cb3e218ee7cc9c1c0d14a7f7f5569975020e46c0a8a83840a03dbd3ac95772800afe8c993eefe1473d05a9de67e68c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYcy.exe

Filesize
204KB

MD5
6a19c1c6aec5b7407d7a26095984fe9a

SHA1
e0be6508e16b4db402188d67396e991ee9c889db

SHA256
b83243d0da700bd692af4dfb6a3341c5abee96420375c808d1822ed78dda6f6f

SHA512
6ac599b5067549458d5439a162cf3b39c1338cb3f0d6ba7c382314f8832fcb577481855a17a75011b3639fe464fe4ed154130097cf55ddc83460cb35104e8d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkIO.exe

Filesize
791KB

MD5
59e1a9fee80e3f986b556d81cc113630

SHA1
81946a569214962f889bf3d98f5e224f5315f333

SHA256
43039b41cd7c4131d3f81e6c9ffb1088807504e2bfd969f360e85c1238991214

SHA512
09b314b4b7b469e0aecc2c1ed738bd89b9a508bf76ed8a58e9a86d7cc51bfa5a431bb658a3f5c39f6b4e1507d96c1ebc0a72c76f61b185700f1f702397174d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mosw.exe

Filesize
193KB

MD5
f45b984818e94fa82cba632b21f8e841

SHA1
218384d3247f7384ac0930e09b356c83ff24e48d

SHA256
b3ae19a77d95a9d61d69c428d46c126ce42f8b4006bfbc3ad4ec0b8cb874a366

SHA512
561629d1806ff3d969d8aa2230a8a4cb4b75c58ecd144e615db805faf85df05e3f7c020055239635aa0048bdb7e02a33e1b864a4e4de533e136bded122244c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYa.exe

Filesize
571KB

MD5
b809044043966e7bc22e5bd2059f231b

SHA1
69dbab1f16baca5756093838ec74b2e228d09758

SHA256
0fb43dcc870f8fb29823fdbbdf2ae0dad22e7d43066a51d65ad8f3d21e9cd7b7

SHA512
65ee0f8c4389e29db60d500f7edbace49cb9d305c71753ee87ee0e496ff37c53c893f1df2517db05d6ae0a960701043284614ce9b1a43da4b3f019f814fff03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ooca.exe

Filesize
185KB

MD5
eb62beadee8b8059a04a6194e7f1f96e

SHA1
c761451eb865cfc4607a6f52ced6a8372ec694c9

SHA256
f6a18ff3fc5fbfcba5775278a94f68c25fc2910ae38c3ed45e9af4c72cfb44ac

SHA512
2190f42dd83d60a3b1a50cd40805b2b8160635f5728680a4b295c62cc73db4790e0de072cf47e7888e64983109cc743fdedb852897b27b043d7c15148b7ce5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAom.exe

Filesize
766KB

MD5
a3d7e8a2faf7e33376d2b96fc966f323

SHA1
a4e87cceed9f73d29c4b95e81fed271f53d0c32d

SHA256
6cf3a783a11916fb9bd9e797e704a3dc1fcf0454d2ac8177ab460a107e89abda

SHA512
b2ea49ee57042cbad893b28a33d896ada1180642ea1e80fb511895a4be9b789f4a1b2158552edb97d940498bdbaa39dec50d31f3d6d93175bfe9daa4c0adcace

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMYy.exe

Filesize
189KB

MD5
2ac9b6ab24b04552894e4d6098071267

SHA1
6547597a49a774a94c85306bbece3198f7a9df84

SHA256
9b0e118327e02b3c3a84cb92623766cd6cc5c6bc32d9368a32e9c838d832b569

SHA512
cf3ec7dd4db84739a0a20dd6c2dad74ab176387dd0c0ea3ecffbbbb5a71664247d3bfbdf964b2141e850bbffccf327d279d2c0d602a1d944b838d5b4f2ce55bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQwc.exe

Filesize
197KB

MD5
15c2e82bffaf1583aa5454644c4d6623

SHA1
05cf608d7672eb12793b006b534aa2afc80061e7

SHA256
de87e232a602ab22d162ac16b2cac3d3ceb0985b0984095cbfabcd80e63a1801

SHA512
05d59e9467116fbf8405efe87231621bff22b2debb680ba2ef63f87e2be71063b5d2503676e7ad4c18beb2c73980fc1e7c20cafc91a399dff008a56df1c03a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkQy.exe

Filesize
222KB

MD5
7a0f48c445f14bf31ad0d7d805bdcd93

SHA1
9296503be20f3e72ed920a9e3d3d65d6898d4ccc

SHA256
47a2090c87d6e51f08bb8b7b36b968283310c81a8bad33b3d1cf38ee5b85a9df

SHA512
de11ea7fd6f43382145f7934721621ca9785a6ac64f95d56e0f2e11e1c6b0a988b574c32679f609132d439c200345b267f08c04f4fbb3aff7dd05285291f86b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEsk.exe

Filesize
192KB

MD5
d26ff9f1acad4ee8fcfb5b6315c16722

SHA1
7518ba3ee7cf9f5260398eb2232f9f19c02ba9a2

SHA256
d09b9aebd8dcb321ead1694c24e3e91d510937b9a9a61e32b62bc5cbc6d55c8a

SHA512
b27ead480a830b9762ed2c73b70f561fc015f84b330d0f460546b5a7dff2a6cce3d7036f6d2f98462a3d665213d2c0d3bc58ed1495406c15cd88893bdeaaa6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQkM.exe

Filesize
191KB

MD5
f325a90d66095c4aa1abe1ea0ced06fe

SHA1
aecb3f97669ba70f81cca7de288db7bcb2e385dd

SHA256
b8febcead7e3b6f21a5f967c698e51f4ff32be3f42f326f533678341b398ccd3

SHA512
c5307a18201bc2a8437e05d212edda18575d50c08d37fd720f27662e547348dcb685d9f0ed17bfd35c881a37f63df3e7bb18befd808b0c2c3a1fd8a5f94857f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsUu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEcK.exe

Filesize
237KB

MD5
a23b1654aee462540f3e4e4874445b59

SHA1
ed0b977a670ed2928b08bf9ebfcde53d3b7dfdba

SHA256
f932f4ea1f62cfb7bccdcac85c27ccc02a1a76bda9709ed2a5410a3bd72e1818

SHA512
b074d6158f82c9eee838adacc2f58b84000290d8efe9e9675a1462931fc4827e0df912b4e08c3a0c1fdcf60f411b938a5d06738c8390de8d07a7057557cedfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQwg.exe

Filesize
209KB

MD5
5293c633e8c9a44109878cd931535b6c

SHA1
801211f78cc07883034f62b6490aaad2e04afd72

SHA256
8e3319bd76ebefa8ee67cc1cec4b7623f9b5fd8d4494088dd2a7c42a39910e4f

SHA512
7c0c271eaee410a68c8481dd724c89f42fa8076451c35fc651d96391190544010b98dc9086c800eb8f7e6d1646c454a127d9b441402174f1ddb97cab9226254e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUcG.exe

Filesize
443KB

MD5
850cbfb5947a45550063ed7cf723aea5

SHA1
588358c0bb30df57a78106ae088733a81479c0fb

SHA256
c2bcb9b97e6f54bb07ab1b6014b799297806cba2be2f68af8b5c37c82c10ef86

SHA512
ef190ebbe192835c94e2ed674ebcd0a6fc42a0cb502ffb6c94750684470842d419c16d1dd21c8ba80f5379d15d9d4dcfbd7854b2cd21780f9ac88a567ef31f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\UggC.exe

Filesize
189KB

MD5
8d8c2780bcb8e45a1cd9242615e77709

SHA1
b37f18bc0d351e742667f5a2b45daa7d43da49cf

SHA256
2f4aae41298a93259e532433be1b1d216d18c2367f940a6a63b54ac730f270cc

SHA512
500163d2e52d2923ff77b7e451576729de9ddb265d2402e113db9458f258896a225986763cf79b862e50d759fbfd04a32da1be2d8c3f221b99933f1d9f546c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcsq.exe

Filesize
1.5MB

MD5
22c63d5bf670355db7e3f1edaf0df325

SHA1
03a9c8ed62ba489c09a4c6927357cfd2fc5a2962

SHA256
d819a6997631ef09d1711c937823b7aae80482c61f299b0bf8dd3f530e416d58

SHA512
4b066bf0d29016e02eddb01db3fbe2682a50e444d9f4693875ceddfdbbc4c981b4abe8080c9ded9613537e2df9ad99032cd4bd7870dda52034b72e1c24af9cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yoki.exe

Filesize
240KB

MD5
f20f932b471345590eab8534f74664f3

SHA1
3857e43c223302f464d332de2668c0b006b218d5

SHA256
462e1b0c13c08d0a420486a6792b7183960e515031711fc99ef1b16e658f6764

SHA512
36b683ff23f64c63f78ebb90a7d8b94a3cf7bee4e09655f447b2688ed08f6d2593e5e4a47ad32cbc8542064429557c884f2af941e5ff90987fba827568a379f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwAI.exe

Filesize
196KB

MD5
d7b3467cb3930197c531f76bfdbd008b

SHA1
00bb71488424394e70719190ca5b59fa7e6a4889

SHA256
40c1f385129102eb96d8d44e73d3eb2660f1d20e9196381fe275c387b42421f6

SHA512
49dc91e51565f7ee2e0d8e2f773c2baeec0382d9b01749de2ebdbcd89c3b77f0ff1e0104d96637fb0d3c5601f2b826bb8a88f1e73976ee4316f61cb4cdb993ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAcw.exe

Filesize
198KB

MD5
550637bf5de6e888182d2042d90299e0

SHA1
c52e16dacdb4eea84af221ae708b898e07c2a719

SHA256
4da2919c64c37221e9a2f8d010948c231222d1966ba7a22b477380f742d3412c

SHA512
08d57108a5aec32734ea28830cee96b7a5cb8778384cdcb1a22e59c365d002158781b3f9aeb95651bec8c2768c5b682e784be8c30d54b98c506920816f21e6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQq.exe

Filesize
312KB

MD5
e5a460a570fd3f6124a24fa6de5cf237

SHA1
387a97cf104bb1c9d4a13966e49ffe1aead708c2

SHA256
666ba1d3705074d14f7bcfc5b83a1f3e4b1f370c845b82a02e6344cabed62f89

SHA512
7d63ac0ca05feae1e738c033635cebacb14f3622f0f6f684063ca516ffaea49f7efe9bc926aac0de54e524dc2d4e57e7055dbd77e2d180e69630dc8f611f81d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\awoS.exe

Filesize
221KB

MD5
1ed09c252bc6550b361841db70ff78a3

SHA1
b91db7b4994068a5b5756c4bd16ca0d95b8d15a3

SHA256
273360d42e7b7cefe12fc888f0625f68e193f0759f82f674a73e92c49c98f343

SHA512
5655a7ffcbe287c80c392ccfad74c0626e68b97a52ae386d5de5638f9d0c0af434297657bbe3b85c7af3c9e4cd364a35a176d5270614597df2040de2a1ee6918

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIIo.exe

Filesize
187KB

MD5
c623cd03f9fcbb2e7249189cc9750058

SHA1
6d412cf5cbdc9fe5a042dc55d6cf5ab9886edf1a

SHA256
97250fe3b76191b58fe955857b782a680f9ebc737073da2d81af6d64421a165e

SHA512
38d2d65b8fbae600cc334e6ca18313bdc566b35f73534b6d7c9e2c4fda9e26c5c8933d317ae3edd7c2d6106837dbc8e6cd9221d65a77e53e69c829778bb04e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIgY.exe

Filesize
188KB

MD5
51fa44cbc84240331f61add0d7c69d86

SHA1
7c1500f8fbe5c78315f87b1b0ba3d1855d3c72ad

SHA256
533559bc30dd160c8c02d9b351ac4e0992e4059e6990edb81e335776c2f43858

SHA512
915318beac33591b845443b257bd37c38abb04c0ca2332368c8f82d1c525f65d3597aac8c803ea2ef22d3aaad4ad77590987837b9bf42949542ffe324f81c5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQgm.exe

Filesize
239KB

MD5
551b6a4a54ddbbd28ad9d4b4c09fb39a

SHA1
8797f0160efaadcfbff7822a24d773ad58b70082

SHA256
cc3559d0c3917a2702ff82fb75d4d6dc4f1f36325d1fb0221d9dd0cf34979a4f

SHA512
62278fabeff7d83d449738ab1140a13afeb1caa6235eed3ce331760016220251c3acdd8d185389d30aecc121e9b2c9fee92e2dfe4f0d40212da3d5ae9bf38dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQoY.exe

Filesize
193KB

MD5
3db3edc0954b5d0fb3f8e366d17e8e52

SHA1
5597e5e6796444a0ab76740591db1731a58f2ac0

SHA256
0f6d19e8b06164fb99e7fd7c6a7352876aa6cdbcad190fa0894d5f288d844a4e

SHA512
dfe2cda5d61bd006e6964c960f9771583cf8ed15a397d6c767d5aa075acfb4cfbcb5375bc75063897ea902635e5435d02646a6762d1c02890958c1df29e5f0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\coEW.exe

Filesize
185KB

MD5
646987bdf1ef786424f7c88ca795b320

SHA1
37e64a51f3b157733ab7a04e224db26210063d5f

SHA256
209362c1c82d96078695639eb6868311d1ad3081553e6d0248cb0600eb6e1d3b

SHA512
af41bb7c339871c4111675fc5ea29b1c591c303c6c661a5271010b81f5e8cd716711effcf65149a63b0376b87f04354fba54d81996df402fa0f79bc3fa68a67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIK.exe

Filesize
211KB

MD5
8e320b482bdac254747f75bbfd7806e7

SHA1
c83f153fd47575efc1df021e77e2d1912d34d108

SHA256
cfd99b31ff873c7c6d0fb3202d4c98fb762382e9432dd568649b336a8adafb3b

SHA512
03313ae899489aad767b6390e2aa59485bc705b1722ad3c270b083efb24d493d82538ffdc7d47493b45b1456d372464e486944678228e901a352aa90a31505fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewcu.exe

Filesize
2.5MB

MD5
74f4c5e678abcd3fbb6e16e83ad0a792

SHA1
65bc25c34fa930beb81ccb922fbf331ebfab4029

SHA256
5800730088364673378088d691928ee67e69dbc85428f8c2faa4fd13a620976b

SHA512
8e1e6d44c46f65fc8c8f0fa5327303f9597ebabe8a1367910ea663283e304f1e3cfe237c8600624b4c155168fa0ce7b1aff8bcbbf29de4dcb780cfa2f6799073

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQIC.exe

Filesize
201KB

MD5
055e0375d3d4e0865167ad63bd24c615

SHA1
3207becb28bab90f87cdedb0154f7f0be60f4636

SHA256
e641735e1708a6462bfdf90c62c4f7b517281bf051206007f73c6b6c6949fc8a

SHA512
bf59ce9658d6115d864dd7bdcb4b67bb82ac832af4b26ac471f11ad1ffb4944c2f3866a95408c8d5c22b96a0ff568c767d0dc81305ac0188e9011434a207a4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkU.exe

Filesize
212KB

MD5
34de31245206168ca2fedefa1615021b

SHA1
136a799a1498fcc9487e6c6c27719cfa4892ed8a

SHA256
aa2f5ed1ba6eeb7c44497c73dcce84319efa128612177153bcdbd27264578b86

SHA512
fed94350e14bacc0751b677a48baad80155833d651a8234a3491537f8eba002e3c3f5b45212f447afc2699013fb8919defcd100d9c5cc96b7cbd63d126708d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAQs.exe

Filesize
649KB

MD5
9299d4f8bc06a1aa9320534cbd96cd71

SHA1
6d79d47a30a9e0004adb200da15ae526ee582826

SHA256
c71ddb11e7df2a29470cb1c920275e7cada1a8669531bab642a2011c755dd0e2

SHA512
a3034f0f99ccbb70e727126a3fef1942f816324a572185928b7b69279da7a54290b5f49c7192ff0a7e088137bcf26f1bdb03993df2b01e622428a6bcc80fa23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgEU.exe

Filesize
219KB

MD5
c7b185ea4b458bf2b699a73c67bf1289

SHA1
75ff27c8870efefa730e8e9d687107dfc862553a

SHA256
3c78d5d98f9b6e9205a5a3717ac6b6d1a7c175194c5a5730190c3e96cb574745

SHA512
c267245481011e354fccf84d40678b8b8464ba93ad67f31f6c0be15deffbf45e3c1239166fc49adf7fb2e8eaa40b18980c015fa71e234d388cfa7fc8eafe5a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgUy.exe

Filesize
655KB

MD5
05ef5ceaa47e7a8aa9e42b6e66f981fd

SHA1
34a7e0830ef5630b196b9914e30d75bf9941026b

SHA256
c55d913dc978ba6994de63e719f882eec1bf470b69b0feffab903547c40d3043

SHA512
4469a7cb282be613f45f31d20b6ea0ec21394adbf9a72de0d4dff6514c40c3fa2d65df8f34552e201846ae981b98916a42d5c230c616e587b7e695d66fc27e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwsY.exe

Filesize
190KB

MD5
c6e8a4381b5b7cc0c6a03730736613ee

SHA1
10da0c149adbf0d1ebf5d3581be62ecaf22befa2

SHA256
310901a9bc09dc43fa2e67b0a7759915da631165d0414cc4cb07eeed87254107

SHA512
cfb91ca80fc1383bd945b875f7c9acf6293cfb0be87be96eee07f39a60ef09f17aa2232aac891dd7eeeefb53ceafe91fa353758f30fd10626206ea1bd3d82be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUwa.exe

Filesize
207KB

MD5
cb7d8c33e1054f0a8a46f9669632755f

SHA1
6579359224352c389a6bf58800a9a32ae2827a5b

SHA256
a7f322d1374e5287307cc18384b17261529c54f7b9e571ffa1799d7ebc69758e

SHA512
01ee74d909a0a3148a0d30f9c0f3b87578f7ed006330da90ce4796d7ef67f73b0b9a22e0c044f1172a543689b39867394f813da8d31c37f088f96cd69e4c077f

Download Submit
C:\Users\Admin\AppData\Local\Temp\occc.exe

Filesize
196KB

MD5
80804923c7fe6bce499d3725ae837f2f

SHA1
756361a942263e2f28935f46c09aee181eccfe6d

SHA256
70c8c172a4db20f59a7e2dc97e2d3c46f716a1f80ed7f06aacf6932817c80145

SHA512
d959608883efb86385b239f03c2b8c414e12d52092f23366cf28e7d00775c16c9b5684cf164c9f87b4146ed48221b00f55eb701fa6487ead9ab8154a39737ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooEE.exe

Filesize
257KB

MD5
e5edee511172db56e24ec721ba028602

SHA1
d783e35ca0f56fa7e0e6310d826eb3c9a9ea5f29

SHA256
dfdbd6d93aedddbce1436fa953f2ed8dd03ea8f35e4af8e34e04ee8c1426ce1f

SHA512
e869546b246c25bde8181986d70c1fd24ad5f86e4060ec8a7ab5b786f0f8caa0399ae9cc7343886cc348fd0b0fa0a7f710958be53a07c7430c350523ad6d6a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\owom.exe

Filesize
700KB

MD5
a275e3878b388c61646d7767dc6a99a3

SHA1
8e43ae91bc8fee101f8219593d1d2109494436f5

SHA256
14fa23bc2cba53464438778b9f779513067f164330cbc8259bbb8aafd6598cfc

SHA512
ef02cef462e5f698ea8d57942bba885d78206f607971996feb85091a8e681528cb0b644a5568a48db22231778d9bc597541b75f5a02dbd13db8e7e2ce019e0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoW.exe

Filesize
225KB

MD5
7a2a1623f554b378adb0431e78d2505f

SHA1
7c27e109e5086df21b7c8001010b4c3591c21e2d

SHA256
c9a55d851ddccf61b4855c8bbeebaca3c757e1042992b4eb037f2debf17f7f82

SHA512
62abdc478f26eeb60f6dad3efe373a1e8da60581f53d68c29b125014457523d0b47452856ea516c581e726d9d27670ee35de1f654f22b9c9683447a75d14f572

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIEE.exe

Filesize
194KB

MD5
472c66124020cc591bdedb54015b2b0f

SHA1
75f45871b2d8e8b1715b6569f73824cccb147d9e

SHA256
d82cbf03b2b1d785e5b807277d1c3f0f6cf5321bac754a9700beffe9b31a5e8d

SHA512
cc4ffadbce90ea13b18c4b77d0d0fdc305e1a741e1bd0bd5a979df9e8894a9fbd42ad35d8bf30525f457215e7b79a418fdf0e63ef1989e16dc97cba44a67877d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMsC.exe

Filesize
877KB

MD5
7067f69c706d3b2e275f05f031b772fe

SHA1
ffda8233ea4cce1ff410280291743a45771b082d

SHA256
a3683b7f26f76f99293f92aed5d082b18d94cb5da60be2a558d2ed2b21a1b3fd

SHA512
ca4691f80ecd43c9e43454bea58d89d4fc935de2922f5b366b1c03ba277bf44495264085d833c59aef8fedd5755c243e1b322dbe5408bc08fba2daa1967e7660

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMsw.exe

Filesize
738KB

MD5
2fc4bbe9f2a1cf45e8a71d5bc7acdb36

SHA1
237797b046447f7ee35b0a718077df817cc5a8c8

SHA256
a76f1e4060aaea2c80c9f3c8862e0bc3c571e8cd224a1a7634352075d013edb2

SHA512
c23c723524eb40ca94cfeac0149de74faa680cf768491e441b744a13d3a14a8dff9aa0041118a83395a427802cf5550475117beaaec188218a2363f0561b5b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgUy.exe

Filesize
1.3MB

MD5
6599ea452df86634f9eb5fa6adb6aabe

SHA1
02c7a987c08372e04038aa301f0043609d13aac7

SHA256
226e59b2c4b53abaf2e471faf1abb0b9a06e3bb82cea23a086cce8c9f22b7dc0

SHA512
f0ff28e0162d331392281e1c166963a5652e63c5e655b209a0724036d32b61a2f0de6195be1d03a33e56e5c5affcebf259815b239f1345a53c03a74afa8a2577

Download Submit
C:\Users\Admin\AppData\Local\Temp\qksE.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoEk.exe

Filesize
198KB

MD5
b6414540c6bd585905e67cb5db76ad19

SHA1
733f0113481d964cf6637c43948c4e64bf9bf3df

SHA256
5c2560145ea72629ece90d49f1bf8c795b8481834d7cee73afd16a5a3314a138

SHA512
24ee6ae4d3d9df4a7442a9abe7f61080c6ca02728d3a8f51ca4f496413b313ea4bae282b30e540ef4c871d687db66d9619e64e5cd4f95280a3edf5288b9f435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoMI.exe

Filesize
1.8MB

MD5
e6d133de05849edc3c162e3cd4238b38

SHA1
ec4c04e5894b5fc1d1e20dae4afff4d0d46de557

SHA256
3e5f55670c5e80de22227a0effa6fc80fae97a85cf4f5788aa108e4f5e4c230f

SHA512
0719cb8a74344b4c34ae119c660df7d4e20df9afc80d3a93efb8d845c0dd43aa743db2931d4c502f89f3b241b55c037579f75aca8053b737529dc2b908bbcb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQcs.exe

Filesize
209KB

MD5
4ccf7bbb26ddf1b18237c72c192d57fb

SHA1
0d6b7cf10437445d2684d25bd13ff736bb575ac7

SHA256
bbd5cb84384330641f28a3c4e1fcdc303d341e2d5d1c3eda257ce265aa9b255c

SHA512
0c6a9a46998938796eb74418f743afa2dd182ab090687a92793fbe1cc99214ded4fabf281ad3ac2292410a275f0a01a534d6db8beb121bda9aa26ff688e94e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgUS.exe

Filesize
196KB

MD5
de56a3eed35d4b127314f9287c71b3d3

SHA1
c98890c2cbd28293b119f08dd2207fc7ddefbc39

SHA256
79b54de07f501ba6cf6678414ac7142a32afe4b6970993193ad1c46ddc94ebb7

SHA512
11654ab7e100f65594d00e975b25d64055fbaee9c8fa36ab258542182d5674a458f2be4d3d7939b112789f6257bf76e0bbb122bd77d363e77c30587fb6831b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\sssq.exe

Filesize
199KB

MD5
7b2d274441a08620341114a5b7498aa9

SHA1
bf77c8b6770d9e3a74f30f3999f19a0bcbfe6841

SHA256
98b624a04b5d49717ae2087581a62c991a01e544242fb1d94c81a90594ac1b64

SHA512
c6cdd74dbe592f1dc076ee01d437abb6fa36833c2994163c17fa70627f9b2c73bd42c0ef8cf9695032779fa9fb34a8861787bb2e42ed9c55ad21d8c8acca5f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUMsMcYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQQa.exe

Filesize
207KB

MD5
257c222d78df62723904b9f4d80dd0d6

SHA1
31f78d0ddcb621df3e5b907de5902e99a53e3288

SHA256
66749de03620736431b4e6a35a0fa997c5b51ad0fb3a1fa4f3f5aaa136cfcd10

SHA512
dffceb80b1e5705963d7d124f89990a48a66ff62fc5bcc603f824dcbdadc136a05a0bc2f7ed936eba09c2e45dc3d558b26e2b6f26311e98c2baf1311cd215307

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYwg.exe

Filesize
323KB

MD5
d4d2c44bce53bc0bf05cc5ebc27bb812

SHA1
71054f494a8d93119e17abefdf7779d9a48a0ad7

SHA256
c186766708048f328ca1764e50d63980db0b2b900e301cb271d8833aec17c14b

SHA512
2b4bec58a4da8bd15e12e5ef3c42f62657bc7392f7ac203778eb61c19b56b3f7193e02a4fee79406ec86566ed93244e89cd75836ffeaa0a8e60bdc04f3481aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosu.exe

Filesize
184KB

MD5
e3793ae7ddf01d1fb36ee63c5b568ac3

SHA1
fe6add3433bf1a04177e2001a4db6b84f03309a7

SHA256
f9e813e0ccc8e7caa5ee4df4250796e8e54f7bf14f0373cfb98b9b00837d4417

SHA512
b2480902e9536b117c3444d1fe1fb039b38f8c30b380bac1ca489ad45ee90a4b6254a43e2c19b5e5a47412f59b2f156e44dab726fb2a48dc138d7e439cbc7f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAI.exe

Filesize
216KB

MD5
8eb7e188ec227613c46ce2c32654acf5

SHA1
b401e12b3a95b7358a339eb61f6af5fd052ef97f

SHA256
448495cb3da3f549dd92ee453ae391c3400f790cf4b30000f288f10763832687

SHA512
417e9a863b0a229665187128c2367fe59c91e247cdb47886e198d72ffd2fcd4b865976c413bfc920862767e0cdd5528b99b3def9adfd2a615710672244cef4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYQw.exe

Filesize
5.9MB

MD5
89ff65a249673cca98b54a544a73869b

SHA1
fe451f58e89dc3eff51d6ab5ab371a9221c2f013

SHA256
55f84584e75e864125f7741902e163324c153aeb4ab4c3667d424e7d7c1b40a6

SHA512
b6ef0e8aa8d061d7eab2f58387d1944a521225ee4ce09cb01af7243bec8d13ff79639c1b9916adb5a28ec9d20449858e4ad72cfeddd2024cd2ab9751fef622d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcgq.exe

Filesize
208KB

MD5
94c60eb5dae88e08b94163469b29ba6f

SHA1
733fe031d988f5dad98c9614f3963273785b335f

SHA256
6cdd275180674b58e592cefa2eaf1ae8ac37e3b01eb14fd1f47d0df9f9fe9567

SHA512
4f33e92684c9eeca899f66852c20a4f29a6da1ccf45790115d1d82c113f35f0be192ee7c8320644d45f34b3c5a2cf344e9eaa1e6e7a97692a04be27c737eb050

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMMK.exe

Filesize
198KB

MD5
99440100b8835d5093ec472422f902c0

SHA1
060951fb3b0b332dae3fa103eea3668adf67c30d

SHA256
3d9350d03d0aa38c8a7537372ff6230328d10731942bdfef4d7bff496e40f26c

SHA512
f78c2e32974adfefe488ede9a9afa097a9c52e1ae33f9bdfee2cbea1a6c81fa469579dc3ceec77b7c99a814903ec1c1670faf3a59044c3bfe38b4e2d939517fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycII.exe

Filesize
641KB

MD5
020f50b6f82dbe54605783d0c81e108a

SHA1
1cd60f57920b2880ff99765c0d0eb695ff265175

SHA256
62f6d054d625e3ff94f43e6c431bbc6b73e9ac335654c9f6160a03addf489e6e

SHA512
e9ba75e14812b3e3f0acc4e32e78f35988230332d6e5f2a609569a7513ca1114b55cd68fdd69f13064d78879d11222da60c9cc3b93e7e68a04ea5453ac6dd93a

Download Submit
C:\Users\Admin\Documents\ConvertToFind.pdf.exe

Filesize
1.4MB

MD5
a7bd707cba6a23ecdbe0112c9f8f5e5d

SHA1
4b54b5eee23fb3f2a36f35fa24b4163dbc781dfe

SHA256
aa57192ea1ca2b6e7ec252e8c6a2e64129fcaa628b5380b13d329ad4e4bfa82b

SHA512
ff477c48813a4cda16481d64ed4d8fb7123feca382e607c5f262393722573a9f93a756ad8fe48dfd1b091a3cbf4402ab5010b3b1fe14a29233b5fa897b2f1ecf

Download Submit
C:\Users\Admin\eeIkUIoE\pococoIE.exe

Filesize
196KB

MD5
73ce14ba6c91a78a6d8c9e47d43952f6

SHA1
701f76fb354d73fb412dcadf90f86a3218b23577

SHA256
c11125e2dc99945d476d3e553fa44533d977c660f8e61905125cd801fbe15104

SHA512
6c12be5f2a2610b58d7d514feec26569677dd19822e394f80f097673281669d9b720315ba4bea119fd5f5442539c977a49abf3c2162da907df40b4221e47c400

Download Submit
C:\Users\Admin\eeIkUIoE\pococoIE.inf

Filesize
4B

MD5
6228545641d33900079bc02cc11970f5

SHA1
6a6a7d6ac6c27b0a8ba9586311746da1b760bbf6

SHA256
f08bb280a25c6c74f84382d8fa1185933d072c5f919bcc3f1209d326a7690954

SHA512
82b6c937ff03cb755edaaad1a3c8754a21b1b15f6884f87d18454fcf550c05495c9498780d57e42a55ea653e8750c38fd94174c704b86413402c1ad041c0cec6

Download Submit
memory/436-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/436-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/592-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/592-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/592-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/744-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/752-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/856-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/856-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1540-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1540-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1620-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1620-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1824-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1824-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-408-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2280-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-492-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2912-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-509-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3288-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3288-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3448-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3448-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3564-548-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3564-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3812-295-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3932-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3932-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4032-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4032-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4032-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4064-409-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4064-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4112-557-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4136-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4136-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4264-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4264-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-510-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-518-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4472-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4472-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4600-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4712-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4712-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4748-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4748-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-529-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-519-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4804-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4804-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-385-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4884-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4884-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5100-539-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5100-547-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download