7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466

Analysis

max time kernel
599s
max time network
1787s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
Size

1.3MB
MD5

b53d9a3861ba2e66a83ed1827aef11c8
SHA1

e3d021ae61b901fc0e375269aeea8a956b5d170a
SHA256

00faee82ab5b800cf6dbe97afd39790b856ad1ec25dc7ed8f798aca702bee7ad
SHA512

c7478893531fbaf674dc90b404dada8ffefba4dfa2209063061a3c30df7992e3d95a9b5aa598ef2e5b6730fa961e44d15b70f5ea2075859ed8dfc528b1b5f434
SSDEEP

24576:jnbkBTLZO5z2gux4qXrNuN6zZkMPPX47Ypk2z364swWUpZKfO+fIQ:jIBTL8HPq7NS6tY7Uzps6pZcfn

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\qqIAQwgE\\vycIIkYI.exe,"	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\qqIAQwgE\\vycIIkYI.exe,"	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	qGoUwEYw.exe

Executes dropped EXE 3 IoCs

pid	Process
2384	qGoUwEYw.exe
1948	vycIIkYI.exe
2544	JYYAQYQg.exe

Loads dropped DLL 10 IoCs

pid	Process
2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qGoUwEYw.exe = "C:\\Users\\Admin\\dccgQksA\\qGoUwEYw.exe"	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qGoUwEYw.exe = "C:\\Users\\Admin\\dccgQksA\\qGoUwEYw.exe"	qGoUwEYw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vycIIkYI.exe = "C:\\ProgramData\\qqIAQwgE\\vycIIkYI.exe"	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vycIIkYI.exe = "C:\\ProgramData\\qqIAQwgE\\vycIIkYI.exe"	vycIIkYI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vycIIkYI.exe = "C:\\ProgramData\\qqIAQwgE\\vycIIkYI.exe"	JYYAQYQg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\dccgQksA	JYYAQYQg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\dccgQksA\qGoUwEYw	JYYAQYQg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8804	9200	WerFault.exe	1160

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1668	reg.exe
5592	reg.exe
6460	reg.exe
1824	reg.exe
3996	reg.exe
4628	reg.exe
2968	reg.exe
5236	reg.exe
6276	reg.exe
8932	reg.exe
2772	reg.exe
3428	reg.exe
3828	reg.exe
4756	reg.exe
5828	reg.exe
3592	reg.exe
4252	reg.exe
4576	reg.exe
5576	reg.exe
2960	reg.exe
2684	reg.exe
4348	reg.exe
4448	reg.exe
2836	reg.exe
4648	reg.exe
4724	reg.exe
4176	reg.exe
6740	reg.exe
8672	reg.exe
4272	reg.exe
4084	reg.exe
3588	reg.exe
4792	reg.exe
5524	reg.exe
5604	reg.exe
5400	reg.exe
4536	reg.exe
896	reg.exe
8348	reg.exe
2028	reg.exe
8968	reg.exe
8104	reg.exe
3124	reg.exe
5244	reg.exe
6640	reg.exe
7288	reg.exe
3932	reg.exe
3912	reg.exe
7520	reg.exe
2988	reg.exe
4620	reg.exe
5084	reg.exe
5436	reg.exe
5428	reg.exe
3524	reg.exe
3508	reg.exe
5980	reg.exe
6140	reg.exe
5348	reg.exe
7876	reg.exe
8664	reg.exe
9064	reg.exe
2188	reg.exe
4448	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1768	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1768	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
264	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
264	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2060	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2060	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
568	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
568	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1512	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1512	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2952	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2952	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2432	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2432	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
396	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
396	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2468	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2468	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1960	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1960	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
760	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
760	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1464	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1464	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1012	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1012	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2788	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2788	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2788	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2788	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1744	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1744	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1744	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1744	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1668	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1668	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1668	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1668	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1672	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1672	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1672	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
1672	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2392	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2392	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2392	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2392	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2356	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2356	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2356	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2356	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2356	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2356	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2756	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2756	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2756	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2756	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2756	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
2756	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	qGoUwEYw.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2384	qGoUwEYw.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	1992	vssvc.exe
Token: SeRestorePrivilege	1992	vssvc.exe
Token: SeAuditPrivilege	1992	vssvc.exe
Token: SeBackupPrivilege	8924	vssvc.exe
Token: SeRestorePrivilege	8924	vssvc.exe
Token: SeAuditPrivilege	8924	vssvc.exe
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe
2384	qGoUwEYw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2384	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	30
PID 2296 wrote to memory of 2384	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	30
PID 2296 wrote to memory of 2384	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	30
PID 2296 wrote to memory of 2384	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	30
PID 2296 wrote to memory of 1948	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	31
PID 2296 wrote to memory of 1948	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	31
PID 2296 wrote to memory of 1948	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	31
PID 2296 wrote to memory of 1948	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	31
PID 2296 wrote to memory of 2344	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	33
PID 2296 wrote to memory of 2344	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	33
PID 2296 wrote to memory of 2344	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	33
PID 2296 wrote to memory of 2344	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	33
PID 2296 wrote to memory of 820	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	35
PID 2296 wrote to memory of 820	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	35
PID 2296 wrote to memory of 820	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	35
PID 2296 wrote to memory of 820	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	35
PID 2296 wrote to memory of 1824	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	36
PID 2296 wrote to memory of 1824	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	36
PID 2296 wrote to memory of 1824	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	36
PID 2296 wrote to memory of 1824	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	36
PID 2296 wrote to memory of 1740	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	37
PID 2296 wrote to memory of 1740	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	37
PID 2296 wrote to memory of 1740	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	37
PID 2296 wrote to memory of 1740	2296	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	37
PID 2344 wrote to memory of 1100	2344	cmd.exe	40
PID 2344 wrote to memory of 1100	2344	cmd.exe	40
PID 2344 wrote to memory of 1100	2344	cmd.exe	40
PID 2344 wrote to memory of 1100	2344	cmd.exe	40
PID 1100 wrote to memory of 2948	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	44
PID 1100 wrote to memory of 2948	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	44
PID 1100 wrote to memory of 2948	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	44
PID 1100 wrote to memory of 2948	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	44
PID 2948 wrote to memory of 892	2948	cmd.exe	46
PID 2948 wrote to memory of 892	2948	cmd.exe	46
PID 2948 wrote to memory of 892	2948	cmd.exe	46
PID 2948 wrote to memory of 892	2948	cmd.exe	46
PID 1100 wrote to memory of 2472	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	90
PID 1100 wrote to memory of 2472	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	90
PID 1100 wrote to memory of 2472	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	90
PID 1100 wrote to memory of 2472	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	90
PID 1100 wrote to memory of 2772	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	48
PID 1100 wrote to memory of 2772	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	48
PID 1100 wrote to memory of 2772	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	48
PID 1100 wrote to memory of 2772	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	48
PID 1100 wrote to memory of 2836	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	145
PID 1100 wrote to memory of 2836	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	145
PID 1100 wrote to memory of 2836	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	145
PID 1100 wrote to memory of 2836	1100	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	145
PID 892 wrote to memory of 1020	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	54
PID 892 wrote to memory of 1020	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	54
PID 892 wrote to memory of 1020	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	54
PID 892 wrote to memory of 1020	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	54
PID 1020 wrote to memory of 1768	1020	cmd.exe	56
PID 1020 wrote to memory of 1768	1020	cmd.exe	56
PID 1020 wrote to memory of 1768	1020	cmd.exe	56
PID 1020 wrote to memory of 1768	1020	cmd.exe	56
PID 892 wrote to memory of 2172	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	57
PID 892 wrote to memory of 2172	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	57
PID 892 wrote to memory of 2172	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	57
PID 892 wrote to memory of 2172	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	57
PID 892 wrote to memory of 1836	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	207
PID 892 wrote to memory of 1836	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	207
PID 892 wrote to memory of 1836	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	207
PID 892 wrote to memory of 1836	892	00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe	207

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
"C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\dccgQksA\qGoUwEYw.exe
  "C:\Users\Admin\dccgQksA\qGoUwEYw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: LoadsDriver
  - Suspicious use of FindShellTrayWindow
  PID:2384
- C:\ProgramData\qqIAQwgE\vycIIkYI.exe
  "C:\ProgramData\qqIAQwgE\vycIIkYI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
    C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        8⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        10⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        12⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        14⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        16⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        18⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        20⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        22⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        24⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        26⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        28⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        30⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        32⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        34⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        36⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        38⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        40⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        42⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        44⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        46⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        47⤵
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        48⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        49⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        50⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        51⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        52⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        53⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        54⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        55⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        56⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        57⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        58⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        59⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        60⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        61⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        62⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        63⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        64⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        65⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        66⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        67⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        68⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        69⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        70⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        71⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        72⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        73⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        74⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        75⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        76⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        77⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        78⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        79⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        80⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        81⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        82⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        83⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        84⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        85⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        86⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        87⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        88⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        89⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        90⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        91⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        92⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        93⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        94⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        95⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        96⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        97⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        98⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        99⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        100⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        101⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        102⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        103⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        104⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        105⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        106⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        107⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        108⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        109⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        110⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        111⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        112⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        113⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        114⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        115⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        116⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        117⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        118⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        119⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        120⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        121⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        122⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        123⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        124⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        125⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        126⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        127⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        128⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        129⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        130⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        131⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        132⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        133⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        134⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        135⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        136⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        137⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        138⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        139⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        140⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        141⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        142⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        143⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        144⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        145⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        146⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        147⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        148⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        149⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        150⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        151⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        152⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        153⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        154⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        155⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        156⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        157⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        158⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        159⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        160⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        161⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        162⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        163⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        164⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        165⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        166⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        167⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        168⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        169⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        170⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        171⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        172⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        173⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        174⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        175⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        176⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        177⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        178⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        179⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        180⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        181⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        182⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        183⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        184⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        185⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        186⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        187⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        188⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        189⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        190⤵
        
        PID:7316
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        191⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        192⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        193⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        194⤵
        
        PID:8048
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        195⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        196⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        197⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        198⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        199⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        200⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        201⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        202⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        203⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        204⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        205⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        206⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        207⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        208⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        209⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        210⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        211⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        212⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        213⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        214⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        215⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        216⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        217⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        218⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        219⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        220⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        221⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        222⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        223⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        224⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        225⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        226⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        227⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        228⤵
        
        PID:8608
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        229⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        230⤵
        
        PID:8896
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        231⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        232⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        233⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        234⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        235⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        236⤵
        
        PID:8828
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        237⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        238⤵
        
        PID:8876
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        239⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        240⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        241⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        242⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        243⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        244⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        245⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        246⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        247⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        248⤵
        
        PID:7280
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        249⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD"
        250⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
        
        C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD
        251⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 36
        252⤵
        Program crash
        
        PID:8804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies registry key
        
        PID:9064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:9032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:8472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        Modifies registry key
        
        PID:7520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:8216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        Modifies registry key
        
        PID:8932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:9128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:9152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:6844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:8968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:8664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        Modifies registry key
        
        PID:8672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        Modifies registry key
        
        PID:8348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:5380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:7336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:7268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:6460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        Modifies registry key
        
        PID:6740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:7288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:7308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:8104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:7364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:5828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:6384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:6620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:6276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:6548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:6776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:6624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:5584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:6720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:6992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:6640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:6240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:5592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:5832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:5428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:5348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:6140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:5696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1232
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2172
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1836
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1236
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:820
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1824
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1740

C:\ProgramData\vCwsgEow\JYYAQYQg.exe
C:\ProgramData\vCwsgEow\JYYAQYQg.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1908696821260235252556198891364634575-6985005791369253691366043106-311507171"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "87971750029181428325553161410346651222920283091100633613-1509245786739435641"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "631099947369857347-715570805-1396703645-1922914925-264990060-465211313-976513612"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21249391857573038217200836891424486087709939543-91308820-14001299431726059803"
1⤵
PID:1180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-871961593-18133499098702395326155418751330643346-920940939-1622257775-1383820914"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1118980984875163276676574294-10601702341224720289-156230084414053066541159680139"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2046253543582077907-1448317163-19710932907250721-344383414838455053-1962555847"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "749234636306408979-933686448-1724594858-952490438-1011493129923899239-554632720"
1⤵
PID:3660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10341919294228886691581701853-1849441691148705312-30629655916607583461078164936"
1⤵
PID:4056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2076439508-1521399106-773658396-1322531058-3443942471836798275288414871893909640"
1⤵
PID:3492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1710090461-1045417853-1993454883192741730214708899131687292787-12941344091480702527"
1⤵
PID:3508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "92683947499703593-182499062821004015102127044279-1676688506-2046259324-771160452"
1⤵
PID:4048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-186478089110843211931384944890-104711935-195794166518131464141769172696792144734"
1⤵
PID:1756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1510045925-1682590906-11863718361471267092-20817443891762413221-3118277652068420852"
1⤵
PID:3540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "659789165-443915965858618940-1154068101610338462-1212200232-1085941172-671785802"
1⤵
PID:3596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8187682161786531734-279559933-1228492726124309280120717723076865793551766111278"
1⤵
PID:4316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18693835574161839561953281738675285403-1379224467-1614613924886874295-1654875827"
1⤵
PID:3612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1668375452-1569503785-1961922510-20304408001300395258-1675967139-552606273338089954"
1⤵
PID:3588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1309026073-179132572519659070676370060632096674365-1070258111-1242542502-657939532"
1⤵
PID:3984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-565154021188584058410926705331577349162256837883-1526959556-1693444998-1974235333"
1⤵
PID:4620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1149828462-15130075201753707732871426283-3579764098503524321839550407-460215133"
1⤵
PID:4252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2099860859-703191985-1564854593-489976764124171532211827403101518609597-1515440016"
1⤵
PID:4900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1419960022-875967544-16093834802085020089653716480961303807-35366-192796664"
1⤵
PID:4576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1734693682-1842755456-790786497-1336187627-1289505566-3157076961707167821641107858"
1⤵
PID:5864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-48081577111856012331840082189-1274175839-35614691588040300-17604155801108532736"
1⤵
PID:5208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "777241504147998676358551705-1245586359709719454-499835008211271570-2062467048"
1⤵
PID:5980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1082653471-664070379-1446603031-137047675216330390472117050365-3112516131810106412"
1⤵
PID:5100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-909712139704802011-2078336210-1306905159358749531513737529-20603587001241938664"
1⤵
PID:5856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1876511800-10538697517177458322073535294-81736873191249031129438265-239042035"
1⤵
PID:6868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "892961765122641758761875313879106012096125519-841658339-1426156186-1680697957"
1⤵
PID:6232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "603574546-2042407885-376407153973272896-15192689048850493651811044148-695980677"
1⤵
PID:6680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "654706918-1764740666-823518406-685548244-1763705625-2113087801-165148882-664975619"
1⤵
PID:5452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-918594376111738336010104080127216387918397524051217558491354897651-1777841326"
1⤵
PID:3648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1998022371-136060563520374596821040672656107569672-25049774-1877377611351123736"
1⤵
PID:6172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1169486273-15021731611663451511-9321329132092648581-1759810530-2074378288-1628743330"
1⤵
PID:5584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14104451081992156638817293359-1178541519-426468537-881229295-1354305088814735698"
1⤵
PID:7308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "48524026-7390445831244233983284653654-119805053411001095241222918418-870884780"
1⤵
PID:7264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-229731718-1543356976-30936152773687734-485714643-1377760367-701980703748648883"
1⤵
PID:3940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4434228731396780285-6596479741506563510-8940352461945233493-1293991718-1557775127"
1⤵
PID:7368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1927947009-1135306346-35688975418760551441335654929-1289638011373465457346193868"
1⤵
PID:7808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "559129472-198055045-15499188141693994995-179796967291083277-7432581821947423855"
1⤵
PID:7996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1915678832-15590567393544624691620903517-103602978691558177410954265321508514926"
1⤵
PID:6392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-667489291-55315592761778852-6055300751425423495411311914-1619614755-674872457"
1⤵
PID:8892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1078649769-21196148006897967601425448158-11860992321717588211-15430614851404020419"
1⤵
PID:8932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "227950651907009366-799007546187395625311943393612037707196-3725138471280498861"
1⤵
PID:8672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "85268613117399178955058554992060779621110507750619137377461898557164-1218017100"
1⤵
PID:8124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2114324140-309230646-164650676510865103871115139526-411735162-2106598551937000007"
1⤵
PID:8888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
3.0MB

MD5
52ae46b12824d1561517637ec956fe05

SHA1
d2f0b6b5a5f0bc10962b884de766cf59661a7ab1

SHA256
fe7ede8e01568499eaa79a43c19cb006e6fbc5bebe650bb5b57b0f8366b8847c

SHA512
7b74e33640cec6fbf1e66d95f84d078aa4206a32dd84086171cee132ce804e9ed75a83ff548718a001716ad6e4a7fafe5649e138911026aa1956b4f54817a150

Download Submit
C:\ProgramData\vCwsgEow\JYYAQYQg.exe

Filesize
2.0MB

MD5
7beca9716febe6dcc2adf215c9082222

SHA1
3e4eff7dc06588878a0676e2dd160d9cd69dec69

SHA256
9aaf83508abe33e8990f15a1860a8d74b0f907d1f824faf6a893ed0e93722332

SHA512
ea8a1a98e12cf0d2a78dd76cfefa02a6180a747f89e3096737bc995cd07bc3003814afca0a7b15c99ccaf2ef0e6350f0f4262cd6020825feaa3191b851362b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkEUgcgk.bat

Filesize
4B

MD5
76961948eb7b527bc90c1abdc0cce168

SHA1
e1e8b384ec3fb0f34d345e2796ddefee664e94bc

SHA256
974e19bf5241ca2abf77be5ad0fca6952db978c15c08394e1ffd6596d0f20acd

SHA512
00c1d459b536a051f085ba53bd3d105909b91907b6cd40839bfb2f5a765758f2f6b5e82697a16d5e4d30bf2537889fcc85739171682de7e2b82b8915b389aa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCkMAcUs.bat

Filesize
4B

MD5
91388cbd3dcde3024a6f57a8a4bc38e9

SHA1
472ce4b87674f6c9f6bdaba54f7adf75874ea242

SHA256
ce0469b405d2ce3fcbef6d1f1b713c6431f84a7ced3a9898143441e2daeea4c6

SHA512
f7f9aadd7e300d2416af28228627fbf34f85bace1f3ead67b1bfaeac5146b6870e5473761080a82343f6868218a804e4663e0813efa8d1161b8ea676fcc096c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQgAscQU.bat

Filesize
4B

MD5
2314f51a079ed726fa39cffdf8a1894f

SHA1
466a643fb7ad2b9dde8cc76a5f315862eae1fffb

SHA256
4389257c14da62e57495851151757ffd5fe5e11a21bb8a5b802dd7971e5ed465

SHA512
b441ca54c5120fa3db8684a6c676b967922022c25c211fabf4e0cd6a681e03113ab6404a469abf00863df44db365de84472f439dc7ed5b4cc2e36978cb9791a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BekEkYsY.bat

Filesize
4B

MD5
d4aa2bb356bf5ada93ec63598a22a926

SHA1
560dc98911c0adb53ff0523686871812ff168bfb

SHA256
2ae84cc5a2dfd8da591656bfe0508d2a42b8044b6fe05e87c9012de1a7885a01

SHA512
ea1ad3b0cd54017c06880045eec8b9c258835c5b8799e152555b39b4831eb5247167d8f3f3b1ed9c4593973953d1e232e5e30bcb206d61580fdb4bf28e524684

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCIUUAQA.bat

Filesize
4B

MD5
0b6efa658ac421d85597ce4eefd3d8f8

SHA1
e3d9bce909c08e69233296b05ae3fd96fe6ef79b

SHA256
e74cb8e4439d585bfcc41a7e415e28ce66d6f87d66515add44caf3489eb8b553

SHA512
4a13c4d58a63b9c4876d211faaf107e2b751f5057e610fc83d7095a0ef2b66ad5e6bc9348d88d95a450f03b1ce4c5192810116d45e3a0c8c200f62fc25f79d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWcckQgA.bat

Filesize
4B

MD5
e9099249c524ae28cdaa0b33100c8c3d

SHA1
2139fa8ff707a250c1e2882057019407490b5764

SHA256
7926c6620db7657767d9155c43228bad80ade44b78c852490315e1da6b243534

SHA512
1f2177541b0cba7d48c967b810232e5a835dee3d055ef996402b1c70b8100f37d133c23261ee967b05bbaf7e03a60f370c4019da791f775ff3f8dfee28b14e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoAowcQg.bat

Filesize
4B

MD5
b0cf473bda5cb43b3d1cb7ea3fe83857

SHA1
429b5e5bb544e913b8a60eecaa14cd3d6d89e4dd

SHA256
b2f5bf72eadf39f54317f8dacf3811edcacb5e6eb4ca1601909248f2896e1015

SHA512
bf9dc73ec83300d498753f9726965438672f28487f4a25c5bfb92fb73a38b1321aec32738a45d8e92f69ffa9e8e669f86cd7c2bfb0c7f0cd7440b7bfc42a7f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMogkcMc.bat

Filesize
4B

MD5
26302c4b0489b91b2dd4e0c8a336901e

SHA1
88a8243667054c8f1e8224d0c3d072cbeaba3e42

SHA256
1a179decc339697e2e2f7dafddd60a458d90c04b6d1e028b25147317220741cb

SHA512
e77b1a469070ec45098d2bd20da6d6d9f607d9ae8f5eb567607667a3ad63eb758d0fb8148f28859af421ddce3365b40235ece980fc90f7c01a2293d8847cab9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQgAEEoQ.bat

Filesize
4B

MD5
89854ea184edb1651a0b14b692220ed6

SHA1
d209eb44e1bf64e04521fa2f43352236095b0002

SHA256
eb59cebd23acb4615669ab882894d2624099319916085c485ec21e763cfd7f42

SHA512
97b61ce83c14a3779a78bdb2fcdec9be35734068e47981007e0c9fe8e5b11bf1663296cf1d827d15e97e9f9176687e1b604374417d59bfe3211977a067798607

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwIEIIwU.bat

Filesize
4B

MD5
467d895766f843903f40c1979de6b90b

SHA1
33e60c8b7c0db1331088b16839b5cef008a6454c

SHA256
9fa23e11ade38b89830489457f969e6c089b40bb5cd6d48e82efd5032e24609d

SHA512
10d748b4759ba8412bca39a2d02add94f09100dc3ba27aad52bddb3506b208307883597cd5ba0804b7291b5f2edb6c96b0e43b0eefdb50bd5c0aa8349730e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyAMIAcc.bat

Filesize
4B

MD5
f5a1743b7d4ab91241bde78ad47a57c2

SHA1
f39a0117208b96350cc8c14c367fab69aca13ffe

SHA256
3025061bc618ec606d9723c9f9dc256169b3d017b799339b1d059f60b73b52ce

SHA512
c1035f829aba1d9a75e018681d8a00f11da1570f98de8e1dc40ac4b68f20dc7a36f456f11585c58dfc1c3a17b86d11bafcac80159be988c25033897d5a744951

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGooEUMs.bat

Filesize
4B

MD5
d877e433d6be77d9638b377eb560af72

SHA1
784060a11fb1e4462b6f8bbb2e9f58fca3e1fe60

SHA256
d8e8c23d87dd280996366f748f27fde8f964178f2068abade7dcfcdef08ae22f

SHA512
c51973e33821ee409df4b8ba6a3e5dcfac64f4ab7439ffe191a1a43257ee1c180e71545929d6f8d1079e2ce15b3ad97abd89c2f5decb9ebb4ef5f19837664fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOMEAIYs.bat

Filesize
4B

MD5
8673dde30dbe0b3d2d717d02746913b8

SHA1
b5cb3310061ae14eccfec9d9a8112d26e45570d3

SHA256
b94b3065fd101f303c32285524192ee514994a94a38c7e96448937d6fe822278

SHA512
62989ed06e2cc91b74d31cc4c7c55e99114162d38c5f0861c9d33ff2d1f63042b688e42ed2488570f590812a2447f6eb3c92126fe5f8a3d1ee723287ec4ac146

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiIYAQok.bat

Filesize
4B

MD5
a35408fa5a00db223a82edcb422aa51c

SHA1
a73dbef5d2e076cff19918af11c5ad2d7c6d76e8

SHA256
380b5f57a1c68419c1780b8120748bcfb7b456caf6482071925a88066e9e3c50

SHA512
9ff0e98807983a8383cdd77cfe7b4ef262d544412cd4ac18c0208a200bd5f710b9ca25a175853847d0fea3b731f4b1f64dae2bf118f2c59db50082dcd88af717

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWUEEgEE.bat

Filesize
4B

MD5
03a21845de4a4bf8c9349736f96f3f0a

SHA1
948d6e99174d25a0901ef4d2e74f64dcf7a6b1c8

SHA256
f9b6822c87fdc2b34f309d7ba0bf0e6788ed80c9afd3603e7f89c9d7032c645f

SHA512
53969ccf0d1af05fd0eb1dea0b5e70c9faafb881703fada1525a84269ab3754379a54011b63dba4a437d2764943d8286390b858324dbd92f5dd3bb4eb1ab7be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEUUsQAA.bat

Filesize
4B

MD5
2f4a388cf671bd2ad081ad2e88229af7

SHA1
4c17f322ca97798c16b449218ede0408413beccf

SHA256
6131a9155a4cf8d5bbf660d1eecae55a809cf79174167f9fa2dd83e5e39da703

SHA512
57e693b329dfa4128e1442cf11d3c75eb5cdde6e335e75efddc9cd9ee4b287b3dad5fea9c2b1a30a8ec8b5d32ab885ff2644c71ec31e7d1923a043100c778765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Giskwwgc.bat

Filesize
4B

MD5
cc080b49162fa46f15693ce7aae4ad88

SHA1
894c14edf8e1b16238acd7f71ecfe95939ff6831

SHA256
cde75472e38b23bf4eeb35121ec5d933cb8b89bac0d64b469210a87e84c30377

SHA512
d3a0223f39647c126256cb2d354e805b07ba7621890b0c56f05933db20c7b7b3de16fbb4cf32e9b7b54ddc1c988ec582f834c2c6bf6bb02886529bacae4e347d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GywQkYUU.bat

Filesize
4B

MD5
590f3897fc648141508cb20af6588498

SHA1
31839a680456ed82a4ecf90b8fee0d29686cd55b

SHA256
b796c8130fc5d4c4fb4b28f4fdb188c64a8c8159b2c2c56c2519455e26521379

SHA512
1c5b8df660eabe0a83546c6c52f8433b9ac1b85356d9befde193d7ac82a69daf45d7d542f58e1120de89cdbe4a3a563fed705f695a279534995515092efc0bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCUkwgII.bat

Filesize
4B

MD5
f5c809e5e02cc4219831e60169cbe3a1

SHA1
f9c8f2b63b7d64e17e0010ce4865ce5d65954fab

SHA256
b21830d3dd0e823e5b42f5a70ca1aa6710d7fa3870a0c7ce2e6171a6c03d29d6

SHA512
6e6407690915a8b5f9be62effef57439e4d561f7ae4c9547684516c716e8bf7aa1addb57db5b112f01daf49f9dbf7b985a74c1e0237515823d6c04be0aaeb4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoUsskwY.bat

Filesize
4B

MD5
8881ba98c11ba1e9dd66b933357b537d

SHA1
070d4913a0c5d78db97b188fbb9842f795fb44ec

SHA256
36ff831cd6b12cbf1f8f0cf7f6310ba50533536ba67681f551356d2b9e82d196

SHA512
6527c99742a779d0d2b99e4d2484a66a3156a1b7a2a90d70ad1688b6771d3b8a4c40a74d3b4084bad900f3b4fa7e63b4bff640845a994446f7343212f358e898

Download Submit
C:\Users\Admin\AppData\Local\Temp\HqsgYsUE.bat

Filesize
4B

MD5
e6473675d817b8f11f83dc3ff3193ce4

SHA1
8298d05282bcd8e5628c17e3ac7ca7f255978c30

SHA256
abbec87c37d1985d6b7dca6b7515b6e13401a86c9697b9992e178ac2a7f7f9f9

SHA512
85cdb68f3dd8388bf3f7ac2634cef3b6acedd1c6369743c6558819fcfe92eac37f4fa5feb58723cd24dab58df127b0013cd7845bdb48749ec750b9a15a989cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYYMsMss.bat

Filesize
4B

MD5
a01c47ba7f462af96ed8776fdbae40dd

SHA1
6ecb8b441c0f94761c8d5e1b62adc92441b7b495

SHA256
7829b1b5fbdb4ee57d5b7dddc628dd6af0407a943b6e9a168d0c2bc0824882e7

SHA512
2a153b5ed4d503e2497a1571647d374f615ddb88a3b132e73ae5080e4bda4a4e0aa6f01c7ceeea0c2e4fbe2f45e62506e2e85319bf32f2f02f5b88439a3adb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImEAkkkM.bat

Filesize
4B

MD5
eb289e30f4c05598916b84e19367b115

SHA1
3f757a1655fe2c7e8d029cee0ca3ea75b8bf7965

SHA256
adcdeb49d1d9eb7d7384258c267d910a253c8dc077fc7b5cfe6edbc63050d25d

SHA512
4cfc9fb9aaa5f6a82d244c55f434e5dcf319f572ad6013c85bb7c14360ba937ab69c2252004002c42bb4e37b3a2c0e559cf1dc510ac0b14dbdf78a45ed522c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKwUEUcs.bat

Filesize
4B

MD5
7dbec426c3880b5e8bfb1e53b1f5115c

SHA1
ec04ddb90655470f978d5a7957aae0f57b639caf

SHA256
b261bf0fbf8b6df75eff9c12b458c08ef0cef8d025d72d3de6c5dcb835909fd8

SHA512
4d01e8d51461787857eb95f4d9a1a753a087390c89dae91e30d6ae678146ce3971523b4e2dc5812660731e48beca0c23cafcdcadbabdfd422a1cf1fda1ac1a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYkUggsw.bat

Filesize
4B

MD5
26079a6e25c11815a6197e4c49d7a0dc

SHA1
7907615548e34f65ea2e374962894750e35fe702

SHA256
8d6a15c3c69ccb4e08b1792f44592ba46d90ae7afa9440aab0233f80424bd843

SHA512
b8219cd2bf7eaebb77a27f3a071c4d56b4a861fbbd6c237a307f74d5960f99e140d5146dee2a555345b6525e3dd71f5ba84c37197a0f286a9be435730c2631fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaAocIck.bat

Filesize
4B

MD5
9dac3aab7e86aaadcc9dbab2567697db

SHA1
eb7aa83e95b69d6fc093c21b5d431a2baa8755b0

SHA256
f33cbc26ee0475d14f066f603e96e9179f86a70453755534304eaab5e361e828

SHA512
0834a1554c47f2753d89fc4fcc93796bbf7dff80afc8d566f5f92bd8850b43bb9cacc62699bf84ec15edff01d82c0a81a554df381c6751e9c357083cf3e35bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\JuAAkIoM.bat

Filesize
4B

MD5
13a4be53406a4641ad440c217f6ed8c7

SHA1
b76a112a25616b5f8235ea37ea132001a8fa0fa9

SHA256
e2194f0c69e10167e409e1b07d5718014ed03f7402505a6637162ebe80daff0f

SHA512
e03cbc5084e0adfa1e51b1d370a2244e3dd18363478d0ddd6090ef0d71a0ff03d888e0bab6aba0dae7a6f8bdd98ecf2454ef1ed3223f4af483abd7b34518bacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKMUMkoA.bat

Filesize
4B

MD5
8d482705351395ed01ccfa893fd7b894

SHA1
1773bfb897cf0572e0ac6c648f57b51839f561f5

SHA256
fd94aeca272e99d9b35fece005a65524fd69bb275a7fcf7d3c0da8ce0dcf9022

SHA512
2d3b97daab784886d1144d1dc09993946016c7233ac635a24d1f11fe9b7ee4738f142be1ca4ce0bcd46741e58d70483326024c3d454af701e39ee8cf8a9abe98

Download Submit
C:\Users\Admin\AppData\Local\Temp\LmAwoEgc.bat

Filesize
4B

MD5
70d64e67e808f6ef8fcfabf56905a4b2

SHA1
0d35eaf40e10e6a4688c657a0129f43ceefa9be5

SHA256
509b113150aaee3cb99bb2a90fa3d2de030ee6b44a1dcdf865faeddc5fc66adb

SHA512
0956659ab5d886742fa305a19e2cbb9919f5155b3293fbdb410b96dc3acd67bffb91abe2f909b98552e1ec3a8fbb47a6eb2492cbbf8b24fd26ef990775d94e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\LycsgYsI.bat

Filesize
4B

MD5
0ad847212f3d707aa61b38217b754cdd

SHA1
467df323b3d34f6d81b4b48515db5868906e3a6f

SHA256
cb157148ec86245bd1c9e1194d3f778fac2f2efd2d80ff4266e3bc2249a9b2ff

SHA512
bcd9d3459ca23bf510d018ea90380b364fdf8e4d8a70476f1986fdffb84d882753508fd003e554d19ebb73d70ede355618a36a52a131fd31d301dbc786f0c9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEkAQksg.bat

Filesize
4B

MD5
d133fc79cdec20fff4b2f1f9f9405aa7

SHA1
d22d2e897e212f29aa4e9a678b5ac3c3e538d088

SHA256
a4aa6eced5f75bd2f6648e06c0dd81d39efd76e56e25e3a24a80a041c952ec05

SHA512
d75054f30419251b73bfe51ed55c399591832c268b39fd9d37c10dbe0aaa4d880e1d08b91ff51964cf4c3dd704507e15c332164c22ab35674e921a15318b2661

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGMoMAkw.bat

Filesize
4B

MD5
cc1ed59273b1f1629e94f793a6a4c7c0

SHA1
c4712e422183c996b6d25d5449c41d6bc00dea4b

SHA256
8f5dcaf5c864fe159f65b028bb35c7a8fc4d25aa741487b72d74dbce202176f8

SHA512
15ddf99b752898f0c28ce8d3a831570ea67dc662f035d1c2a8853c4372300bd170f393b70c8122b90f4cf5436903512d93adb3a9333b7d328e45f586e3365dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUMAYAYk.bat

Filesize
4B

MD5
3220c8528d7b5fde15c399275ccc0f04

SHA1
1bdd9ea26b92bf62e6c440c3e5b5ddcc7c262eaf

SHA256
deb0c76ed3bec531e422efd2572f5037d5489e9ecbf105bce563d8343dda5a4c

SHA512
ddc9b7def715f8e528e0b1ecbb60c57d06ec8e01b995b5d4316b269a1911822709bdbbd8e574b6cc8b36ca257bf605245030d30d97a417798957a4272ff64fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MescQcAs.bat

Filesize
4B

MD5
67907ff149d60f4a8313d8b43628eb37

SHA1
d0f4ebc7e1028a00981891a5c05ecbefbcd4826e

SHA256
7a1a64bf3ed2f03a39fb48b84565a95c40d3d3f5c284cc5fc36a5ae5d5be6d1c

SHA512
d4a324c193f887ea3016bd903662d73f2254d6498b04ae088f392ad58a8467b9a79d90f6d6089ac0ab60cd4d29a23eaf3f386ba0a85f22ee1b0eabaa46dc3a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAoQUgQk.bat

Filesize
4B

MD5
bdccbea64071ac7a94eb78c36dae9999

SHA1
ee8075cb3cffe95fd0f7fcd5fedf5305de872f4d

SHA256
dcb9b61bc167a0094ed7fb8dcf11d1d683bd637265f75d14182a70b47163e4c7

SHA512
95b853b408dcc02125e1fa3aaa993fc687151397c30df082f0bb1b0a41f6077dbba38db39f2cfc6af63eae27f35e1bde03ea1deafad9812598e78ba58451224f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OmwkYcsk.bat

Filesize
4B

MD5
5cb4565c9b5df341981c58fbd814df25

SHA1
3a7b74ce1f3880cdbb82c94984405620f64358b8

SHA256
0a313cde218d9188ef1f3a1dca6fef35accbda3f7a3237569d093ce5744e7323

SHA512
61208692f0c089daba3aa4e82d9d0000e72ee51f3a6f2b4eb5866230561fd08b946f8198790f8a7cea969aeb1f3d50e9c44b20798088b637e9071f158825b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYoQQkAk.bat

Filesize
4B

MD5
113049543c3f60b74af1db7ac3cb8e92

SHA1
a36b3b7e766fd3310791d6c36cc5a2c13394bc24

SHA256
2cccf4e4e106aea30ff0c8ecdb0c5ad677d930e5b1a8f660b63139c0d7a33ed3

SHA512
340ce8a8686b7019cc5704e1ebdaaa75a1ec5a0091b8d4f2cd4aff069bf42c1c9ff153bb0a2d39cf3844f43bbdcb382abb00ec27f8a2c9a5186c4088c19d7bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwoYogAY.bat

Filesize
4B

MD5
af448fc62b7bc007db670a1fa7f1cdde

SHA1
38cce7349e6de1a2eaf56ad10ba3eb6f768b60e4

SHA256
17c60e83947afbd3ec4ef26b5d4dda583d1c350aa91c78a6899a2e600d85538b

SHA512
9a8862bc345cd217e22b6807f29be5c479d7eb4f8afd97c2a2bda3e244f5b8c38961f3aa1cafef096d4239c3948387f00389ad806be74ba4e560f76ede48e2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKUkIcso.bat

Filesize
4B

MD5
d17c0cd041b4eea8ed2f3e53a4fd89be

SHA1
dfa80ab51972867c0f32182e3e09e6c0ac4a32e6

SHA256
172bba14161e99224fd9645e1f4f5b099eb2c21c8a4cb54fe857be30ec0fd983

SHA512
b3d03a537fc2beba46f93cf1c63aeb02fe81dd9ea1264d414d137003e05bb33b75800402db9545fa527d65e9b1701bda772db0795f3e437eac20dbde140b970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqgAEMkE.bat

Filesize
4B

MD5
ae78b045e0d976655b7f08979d350281

SHA1
59d67a2781b3b4a3592ee375a0eff41aac3623a5

SHA256
864dc3fea9b49c87aca16f6ee0d84a035eac05ba0d8d7b230d30466262e027a0

SHA512
37571616b0fc4a25b1e27ee4b8297701d0315347240208d9574d98c5920c241957533c08b383012f41ecb13ef4bef26ff69fcc563001d6cb887a22bed4829ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RosYsIAY.bat

Filesize
4B

MD5
74dddf25f0258f7fa2e0f97c06b75ce0

SHA1
adc0d532b66ce5a71bd145b98bed7555908abec0

SHA256
a3f270671afe13c14bdb50a619a14ff745a36998709d3782b6dd556462ca974a

SHA512
df5de4132ec02c411a88ce5b9df1e624c8b683f0214f29c1f5d366043e134e2fd5e814ba8e2829aa1cc45a847a23a3ccacc50603a679c87c69d205fbe9c6468a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMQwQIQ.bat

Filesize
4B

MD5
3a62247d73c570f78fef78b924034aaa

SHA1
7b468582f0805dd4684688149b6379af0ef5935d

SHA256
4b15088ee91088a81e87ae9859224d087f0c1b1670e43a47e940a958e2fdbc01

SHA512
f4be5ed96483e8f7ccd5694fe7fbafc306b46857c27600c14986b8a63d88608dea94d9b49b2af57b7c54c49556fcad261db06cac5046e890ff7b61627d480d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\SagQMUkE.bat

Filesize
4B

MD5
b28e0d91f6c6548da6bc316743577fd0

SHA1
a5e3e5235b848c3c2639ca0d9c6ee56e187c19ea

SHA256
edb9e79a0e63e78eedb515ba3524c277ad88b9442c3f9d352c1c278fe95f8279

SHA512
022559e49b05079bfa15dd0c9cde01ee147e9f750beb379746273959f204e4d3dbad41b67d53c20e0817417f6ae4aa5260f207ec3bd0e4e89d5081b9823dfbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SucEMgIQ.bat

Filesize
4B

MD5
fdc9ef751dca2d8052504e86155733d0

SHA1
0e0dc43379ce68c4b971a46fecba66183182b50b

SHA256
16237bf4fa5f1387949edbe1bb49e912b1d1aa0bfa28b7bf0263544d843d5f53

SHA512
a30ff73fff7bf8c6b409b399e72697bf6aca51236d14022e0a3b0c7e916f15fb0646339248968ff40a2caabcc3ff632be7ebc7af447128b60e9ac07e3a4a27e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TocoMYYo.bat

Filesize
4B

MD5
2537148c7d688be1e45b005accf583a0

SHA1
bac2619665a4eb0185a46465ba58065433661e49

SHA256
dbb6b7445420439cb718c54758b36a7786e639e31f5d7cd6fd09e2de293fdb6a

SHA512
9c25fd945bd061f5311d80583ac28b8e1aa3a6e3089394eaf425782d9617ccabcf2513e25d474ba07a9fd10f8829cce8090603bb333e4a23472a7b18a7967f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUMgcQA.bat

Filesize
4B

MD5
bf6fb60b790823a39a29f3a4ea2cf589

SHA1
5af028d6fc9d5b70de8de6024830ad4f182412b8

SHA256
3d3a198689591b601def47847570ce6073140d8584f41b5fecd7d118644d4677

SHA512
5d8214f64d5d22e629f114f3ca2794668dea34ca24033a0309a6a346d8e94758694c4482253efaf1a0dc47ed53f7f313db56580dc65480c1dafa4c5333dce562

Download Submit
C:\Users\Admin\AppData\Local\Temp\USsgUkok.bat

Filesize
4B

MD5
9b12463a29f97b4fc4a9bdc42a3c14c9

SHA1
4235649c13f9d1f1f92631671ac8e65307d3206b

SHA256
7a878b38576e15ebef5cb28736c09406e9602e66a4223724036b4d7ebcba4656

SHA512
0fc109483299c40edf34968ea95672d2cb2d68d424f37eb98cf459e0cca488ab544bbe43373c6d5f49ab80ccfa0decdb72507a80aca34465552d1be525fb4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuIIsQUg.bat

Filesize
4B

MD5
798d9db5e1d022af96a2ab941f0191e7

SHA1
132b826bc4a53a64eb3b53a5f76cc2e46bb57113

SHA256
356c243614bca9721aee2ad7bc0666c9419e9d525688d7b7e587127f0b7b3c78

SHA512
831a6f1fa723b8fa17daf1364e8ccec7e5d154526ccba854583bb562eb8aa8289b29aae00caf1007fc0361fbc0469b1341e6dde6ebf1896d267d3749510fb6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGgIgMsU.bat

Filesize
4B

MD5
dc002c4725357527af873e7452790fcd

SHA1
a5a99cc7fe1fad5d7ac23aedc022ac2e47a679ba

SHA256
659a6bc0cb54c95890cb5c9d099caef7a5fbbb942697a39f26395f9df67083a3

SHA512
490efdc583f153c5ade48d6f4a1f9eed23f5a7aecc2d4924d7abe5d699ecc3352ca8b84a853c36e912d8657a48af298de1821667c1563789b6841e34142f5996

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQIgAwYE.bat

Filesize
4B

MD5
c8b057a9f2c0b7bc222baa72c1a9c13c

SHA1
51738b8bda969b9d75c5f5b2ec546ab40eec464b

SHA256
860c16d5432582504b8b1e3777c2f42b8b1f79b13c9050dd6099d8eaac4ed502

SHA512
c2fbbc6b62ebc80e9e1c4ee740392209bb2211bba4f738709c9b32cee04ea41be0fca2ae4b9438b158a8973e67c4d3f4caf4492d6c7905ceafed8bfcbf14c8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQsEUkoY.bat

Filesize
4B

MD5
00f7e155cbb17843fcb29eb9ec551f9b

SHA1
d010dcf7f1c2ef395ec229a839cd38106b94e09a

SHA256
0b1f4170585e76118cad3356ba9355ff1f36946f54900ebd3a6ca741754cb938

SHA512
9af14ecc658865ad5f369859f3ecdf2053593ceeff040c5f4687bf84268e93d604fd2a8044fb856d3a683ba362a806832e5c1040e68351e458cad29f8839c57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIYsAwwY.bat

Filesize
4B

MD5
bc5e22e98c04f88ea3bf5567361e588a

SHA1
d8a6f9454a4a59fd93d0ec3ee1e6811e3db897cf

SHA256
03b5f8d3e1ef6ed290f299e84f43f8b2219487110436d42fc2ea2266fd18c34c

SHA512
1609234b9f94f12de87e14a203534b41b16c269c9121100ff3954bb7c7bf812ca5cfd7ee848b8ea93a2f15dbc30a30ed1c4115e1b04d9980c9e9d263c59485b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwgEYUwo.bat

Filesize
4B

MD5
96e43608b3de9e7b664decc73995baf4

SHA1
be8d2611e37a6d661226ee94eff4d5bf36ba8eb7

SHA256
6e99f1ed7882c96064c83e476fefaa2c0713016f08b036d35f9166a09f5e8f56

SHA512
1a58cd2f3f3fbde533c165b1f2eac9f01a8f728dffaed473df3e6ae79632cd09cd9346a886e02757ff05dbbf1fcbc3a4073ccd4a755e11026f9c03b23113ab21

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGwoAYAs.bat

Filesize
4B

MD5
04efe259d141988596397d8f150647cc

SHA1
feb1ed72cd8f280e48d073f22de68ec5248a672b

SHA256
2435b2b90a9edc3547179c6f25ec844243f1862a6aeb56430fc15a1a38436173

SHA512
d0bf7d75cc1a2bc422bfccdfea2af8fbf06cea4b69b01b4e35f806663ff01e59824dbc6643f3a847451892b5b9a0a2bbc23ca8ab05cc26b4d0f70bbd8185cd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIwAMEkI.bat

Filesize
4B

MD5
35a29a06e7d3fb9dd641a27d04fe39e6

SHA1
fcd491f967985d0e53965513781706ef9d713e26

SHA256
4919fce5317eeb6cd7a3691d29679db8277d1825f872fb5897752346e9db1643

SHA512
a999996d55f31b0747527970aeaaf57b0b3853b5e29065226bdbcc3e6e45a0475b6fb62ef6eab2cc44a0c3dea71981951401baacc938d9b24ce1423edcb3852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOYoEUos.bat

Filesize
4B

MD5
46845ad3fb6e844f9929e078e3acb0c0

SHA1
fa1b2ac62d63fe1c04d06abd7621dbc1290f441f

SHA256
e224961179955aaf4efe54ccf02b58db1e89a06e16af4b9a994cd22ed4946d78

SHA512
ec381fc1270f234a5d10dfe1796de96d57c7218611b037e12ab0b0c4c6a694bc8744b0d5212c99c41026d21fb647118de840779bb12a5c11c232b7e1612b41f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUEQUYow.bat

Filesize
4B

MD5
9904788875bf6508893801142a8e3283

SHA1
601345f3a275306ec8d692c7e6910f590aeaa45f

SHA256
92380142d2251bda7af92e9a5e01c03c924e31ed00f3d6bb84631b818ce2f897

SHA512
cbc98bc03be586f492ad8cb26d4f30f629db3a5f5214df05d6d28887ff644c4c9ee4a575a7d54dc8017131739eaacbaf715f7654d7e065f379fe46d60e7e97f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqEocEkk.bat

Filesize
4B

MD5
aa95f8303fe1644730059f18745288e9

SHA1
2250dcf552811c85f94e10faba1451ac27dbcdec

SHA256
b0797c143d4d313ea13b12dd9e9fc8f0eacbcbe0d834ebb61832bd49f42e9a86

SHA512
31ae40a6524770a4f2fd8ba11015b60f1c8ddc06731192d043d2a46b6aa0893fc1fcf5bcb311f4dd1f1535350fc5386feef8f3ef7fde818683cac385b90b3e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuQIQgQo.bat

Filesize
4B

MD5
895c68fc6031fc023c25b9755742b066

SHA1
8969ee6f1ddc8d5dba0535fad1b0bf6e80bd2334

SHA256
30ae3675336c6645a5fe66d1d9a36f915184d8530d4bbf7662ae67e108c3a7b7

SHA512
63c68289d7db7a2a482df7324a26c50e593ef0dbe2d5d73ac3d3ca435c90a8a19cbc27a3c7aa5062c57f0fb6ab4ab8afc1babb61deaa73712f45fe030f9a3cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YiIQIocM.bat

Filesize
4B

MD5
263c5e3ad2eeea083a656c05fcb7d233

SHA1
895235d1e810ff3ac8e5b9517b339350e9664b8a

SHA256
0f659b28e1046fe19a2c1a1d0d712a412507dfb00a7a75edd607939506e8997b

SHA512
361b96335a269fbc90f936793dbfd80465b57f61ed99a6991068221b4ec8cd2c7ea4319c5dd9e1b23223b6855e47dca21dd7e4f02a83d47a2f3d097fa1dbea9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkQcUowk.bat

Filesize
4B

MD5
11d4a45778ac61599fc3626a3a18054b

SHA1
e67359ec59f576b09719d5d2f56b8789785510a6

SHA256
e6269d6c5cb5f959756820282199ec0cb2b204b2250aa375cfa4008f3aade9e8

SHA512
31ec6abcc1b6abff97ce98f7a1abea817050be3da6e30382e45561136832e7ed61bdef0a857614af217bcfb641823f3840472cf4dcd73ae7ae17d05d5e0b3824

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaAQMUUs.bat

Filesize
4B

MD5
38abbb5908ac10d9016c16499eb8cfdf

SHA1
e3121624942521d58ddc85dee44c1f592be5aa39

SHA256
6b588ff4124e85b506c0d5462c9e8a2a933e667238dadb05befb4058a9f1dbd9

SHA512
af4eb2ed695d713b2ee0ff85ae7f9fe1de46a95b0b89d76585caf5760b94ca994e629ac2fc443a3a98593b879551bed8e59ba563fd373b019f8fa80e7cf3f7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAsokckY.bat

Filesize
4B

MD5
f1c946524b49524557a71bcb3aec0ac8

SHA1
3919f4d1b39407ecca76ac762efc17f084a647d3

SHA256
759429e10f0037eaa845c6da552cfab2bec3339cd0efc06b8a377064fffe8e2d

SHA512
56fbb5347a282bb0cec99af2e86746a78c44ea41a359a263825c12743a9e990124e5251efb1e28e71f7e8f531ed97590eb2a7fc26372eefee99ac64176c2a575

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKYgooMI.bat

Filesize
4B

MD5
f89b5a80175c66d38cee202fe6e2b8bd

SHA1
a4802e88ee6649f499eccc62ee4788f06dfd168c

SHA256
57670df136a1c38e43e9fb7abf5489fa018e9a382ab2a8e1210b95b1a132e9bf

SHA512
9b004141a9a9b9a5209dd9c3c9e678d4ed285f1bc85e1d58459ac7f237e948df784c287f14aa6181447d05c59a79d28a6b8fd9248a6588069b8bd726b1953428

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgswEEws.bat

Filesize
4B

MD5
6347e0e1c423eae3769ebd44106bad49

SHA1
f4dae6f770691a844841f345727a6b8d16228e37

SHA256
e436210489158ce3b10100d12e4bbad7c4ce3c5acd60bf2113afa764703ddfee

SHA512
3dfc79bd47f5cb71cbd12f90b24631dac131835fb60ab9da6a69b9b026dd0ffbf2c51bea67fe1f9674c067882ce7c36b311ade9de47456356afc63b5cc5e69e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkoEMAwU.bat

Filesize
4B

MD5
db675e4879183161412374359726c882

SHA1
f6c72adaeedd0f38b0327f3b4ec65607ceb69bd5

SHA256
3225f884a6e42bce9323c02a2315b3fc24b44c4ad0facea335f89863f297f2cd

SHA512
48c62721ed7f8749d1afec09c6d6f0d4a05e1151916b13e298c3d9a84e1ae084c09e73d8a096e588d91ed7f19f0a156f2e5842493f29b81f4345aef07d90c5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYUMwUoI.bat

Filesize
4B

MD5
0fb4c6b5c1b74a4a24e712d131113b51

SHA1
a47437284dc7bf9637122ab28dd81d93f11a2716

SHA256
0232803f456fdc88e32609a1d54a4ead03fe21311f1f5dad08c927bbf0d22d8e

SHA512
5804b0e85574fe6c76deee4ed4daba2c40c64e6122c92fce5f827242ad5e56460cb3d782d43820c478abe5a14c9ee6a61ec88079ad3ac01d0e743fe872ecad33

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmAUEIsc.bat

Filesize
4B

MD5
ede8fddeba32a2c449d6c6d6ea68b3a0

SHA1
7a7f2d04c3a8872ae38dc869068e247ae9a736d1

SHA256
1127aa5426e60b6b5e1a0efd6036c9db4e8fbbaf4c2c8abf27da8de1efd5f7ff

SHA512
72776810bfce41ad938c808e3c645c2b6ffacbabd80e7feb3eac81bde63b29465fb0a9d99ccb926addba3f0902d81688d6503083360d944388b643516a775788

Download Submit
C:\Users\Admin\AppData\Local\Temp\deUggUgw.bat

Filesize
4B

MD5
9c30bd3fb72600946910f8a9c36ea3b7

SHA1
25124db11bf64bde63449267a7f8167e0f61cda2

SHA256
d79f76567bed9a15c9fe28d951af76760ef4e2db2d00e03dd74c9872fcc3a468

SHA512
8510ba38391570f71a5cc1d02e39bb25bff7fb87cca0239b39718287524dc175950e952953515a7b733c0015c1e36c57b8d07dcd61e68ab0f25fbe05d4a0ff0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkUMscgI.bat

Filesize
4B

MD5
5b7d607242352ace20af9741167cc2ca

SHA1
7c0d5c1443e1696b6d1a6dd478e8bf5d6db734ca

SHA256
72f79e4da7844ad4f247c813db87db295ef33b5f95042c2ec49da1fe20a0c134

SHA512
565b95d735a41e17b54edf22095680598028246ad1733b0a6a94d288fe373ca7c2a52cba87101f372e227e7afa6b058bccd1cbfd5af1966816ccec74514fc164

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkgYAsMw.bat

Filesize
4B

MD5
b3e5a57b5efb7332e434305ca70124de

SHA1
eec9ebc382e8ffffe52d32559e49cdcfaac557f5

SHA256
bdb9e4cfc4365dba0317fdfe56de6de3c528d7234c2ad34fdff30325c9be43a8

SHA512
0aea3c30dd85f6bbddf77dde0dfa6feb8297f5e783b614655ac669337f09617ebd79d831cc251bdf6259f1f3dc2d1f1f607a4fee797521503dd2d5c37c7e5b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\easkgAIE.bat

Filesize
4B

MD5
d6ce1fa7000309a29bc879a6b29efb24

SHA1
7b2911e0604c65065d46524667dbb6c047a334e1

SHA256
866f2eee5ae5d25dc208547c633c544c0a2c68373ff8e1cd860f06c474c1123c

SHA512
6dcfa063ec66c04dbf573ff1131198c6579183d90777b108b07b5087eb415b15470f49a40b15a53624901bc5e3a857d47fd6aa188c51a370c8aca424f6d520aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOIAksYw.bat

Filesize
4B

MD5
8c1b7ae2279b2799c78b35ad3fe80161

SHA1
8c24d48d6d92643f1ef4e0bdf7a45dd939236279

SHA256
fe8f18cac5486186f9c78e44d333c328de11802cd29718f8f9bfe1a368e6fd91

SHA512
f42246e76197bf0e29529d3298f1df43be95c3672d61f325dee4a2cab46cb6e43fd6ca01fe119f63eaa60fdb35529ad629093e415c2300ec521a1f402a776892

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmEAAUUE.bat

Filesize
4B

MD5
b12f52757f82b1e9f2e3a189a9934786

SHA1
c4b9cb323a9c3e0344f5336efda5a21cda308b80

SHA256
853b450fddf42f13c97229cdde14b06628492694a172d3b232a64bc96daf5105

SHA512
034796c67f9303e8a9c581307cfa43b813bdb1c967bbcb26f0d3ec89680f1dfa70d546b12a5809d9eca08f0a45eac9514b8098cbc8312478ecf15f62b674f098

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqMwksgs.bat

Filesize
4B

MD5
1a681ff6851070454f5977f57a4a536f

SHA1
5fdac4b3d8e8220594c6345a0b8ed6aec4bb2edc

SHA256
80eb82ef82b871c436ac192ed9f037c342324cd3df285c906156b3a519689a71

SHA512
7d75c0513450084d70739910f36996855ce58ae5c7d91b9138affe286b5dc9886e663b6abeb6ec4bfa0919aa5d014cc7704337fa437d6afc76b41a9fc05024e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSkswoUM.bat

Filesize
4B

MD5
584cc015e98d3bb23a9cb5612f08900b

SHA1
752a1c82d522f72bba56eb7fe46112f3f0fff07a

SHA256
16234e28b963170f2138169bcdc0611a2c278eb1a55df40dcfb4e4149f9fc3eb

SHA512
86cf8b8a585396b6f210ba468a2d966bed7db4490b14403d97952b2de959669efed0f9433c196c7bd9878561f26fe52097cef9c4e5caaad89f08022d40f5e09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgEwgEgM.bat

Filesize
4B

MD5
ed168d20eb21eaea31328bec10dccd2e

SHA1
2268d5b2051a6a47366d0d680762c8a8fec2fc8c

SHA256
5997051d918a8885068ef58ac9609b95414dc1b82f45a2095ba757af4086aef9

SHA512
0e37c688a4e1f4537be9a80976092275e0e52659ed77df8c52689c27358d94e67f37b28c14e53e88fdfe2b517a8329201463b3366e11fd00c52caf23dc740aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgoMEsMY.bat

Filesize
4B

MD5
4f8f966035b8bd76baf0141e1a2b1532

SHA1
f0bee12cfcc0b6d18a15ae1603b5956b3761d2c7

SHA256
b90c48071abe2df1b5277938bb25c8769cb46799a1ffd920ada6a613ad3ea601

SHA512
9c0016f87199011edaf28d94bb51d0bcaaecd34091b75358b46fcd0a1325fbc0e4d1a7f38ef577bae3e9aa5af4e570c34b81002605b1d3e4e26c82dd496e3442

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCQogMIc.bat

Filesize
4B

MD5
12c23c3f25b18834f6cf428e65ef2c66

SHA1
899bff07115041d8872f093302943cac7b4bf588

SHA256
481552cebdf5c9d483800ad8881b2777c14a443c49226bac21423d71350868c7

SHA512
d23c1570620fc5102ebd93759d6fcf03229b67db263f4a48b6932de53ccc51a46d728fa00785f189f278d681c603e334938f1825eb39966778dbeadc0a9dec0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQooYkoo.bat

Filesize
4B

MD5
9839c88ea4cedcf1b97ca9b07ab1bf2b

SHA1
a78353ada552fb8cb8f5235824501b0a2dd44663

SHA256
8a60a1f8a3e81a022d059f2d31bdf623f72bb84070b296bdc71187cc2916f7ca

SHA512
4df02fbbf378b3a818099b1e15d2ea852a2b977b61e85a63f3ad5ce817714c9a8b460e42d29a253b648e079277e5ecc0bfe0dcd64a235fc8bab038c84c3d277c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iSUwkYsA.bat

Filesize
4B

MD5
96099803a311b3a2df52b7dfcdc0385e

SHA1
4a8dc0bf4f2621001b93478ef6a4ec0b2ce28534

SHA256
047d0959c21c7532bdcda29cc776c324e13bdef7f6a8d01a9b30441ee72852aa

SHA512
c5b5ca6d9a99a93393357b89f2483be0daf04c91dee9f7928c28f302374e7a24d315c3e7c66c33dadb762459883b1c5f2e5452244f046a8e40de68c62e067da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWwckoEY.bat

Filesize
4B

MD5
647480e2493c0cfd5529f4db31ffefab

SHA1
d0f1d9c275c63d2b48adfb21e7872ec360fe935e

SHA256
105c735c1ccd11c4f833913e000664d421b23e092cfa0cf6fe41644a23203379

SHA512
5ef2cf179908619aff0dd33ade5a71ea8a07a07c619688c18c58500c3b8f6594e57322f254ac5283fc3792f52c8ac8e49536027f3b82641b05e53ceecdbf1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUQwIgcY.bat

Filesize
4B

MD5
47ba33b40788b297136c25de63b996d1

SHA1
1e2cf4b587e1d3958d91f9729e3a672bd6a3eb41

SHA256
d830ffc38dbab8072dc6e0856d11a2c25f9738006838ed26a982d98618f5ae38

SHA512
2c7970096269859dcacc199fda02b08df158f26f520cc5465e3065d62136178a1dca4e2f8be06630de0aa933b00cc513d878ba0439021217c3a1095668a92b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkEAUows.bat

Filesize
4B

MD5
238399cfe9439469edd11aec7b70ee83

SHA1
f427e1c50144765fa8c5731383e04b4bc1a2c4de

SHA256
5eeb833989d60cc82a9e87449e67b29c02f9d3b6ae4f408747a8a20a634e4d2e

SHA512
a699acd17c75379b1df7b0967f735b35dcfd1b2d32aa8774b3df56884ebb66818a17fa97c2142410b070d6a533c7c586039c18378ff00b94a769a554c520f264

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaskckgY.bat

Filesize
4B

MD5
d933ae205664a67aba057467d19bb3aa

SHA1
2168579a7068cfb93b1e83dae2616711b92ad805

SHA256
6065a970eb033df0211dd29f1de3091562411a291fb0ec878acc30b8d213cfb1

SHA512
05de735dfebc1f7827a54769509c35ceda73360d1a5661f16b135298cbb29b7e018daa7057a8ed5809d2ee15bb2b6a887f6b9c01aa53e1a46dfd03edd1fab8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkEowcAY.bat

Filesize
4B

MD5
8d2ee06a40dcca746d0ad93f9f9370be

SHA1
db91a30c9dff7cfabd63fb9476368dd321ad77bf

SHA256
79a2fdb2aa901713d54d5481f50d3c37c8b4f674731af88925ee53cb6025a6da

SHA512
f9c0b598aeb645c880687471f80cc3c8f2a57a03db55fc1f9319fbc9f3b58e7f575f90d29ffc52f6f002846c987c13ab15c3545c48f1178c8b4881d9824867e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksMMkEMY.bat

Filesize
4B

MD5
281e0b1d9c92bbf05d283368fe994ec5

SHA1
147f755a2dd09565016210157de0d7186c497aef

SHA256
6cd2e32ec0c91fdfa10661f39bb5074e4ef24b318faac98963a832002311843c

SHA512
16c245f7b986f851d7cd51c834305a9172c78ec98a33fcdf9c6a58641bd81e5c42083c1662f40a7b0ab3d08d7d9c8a9595928a7f6f209780aff85eed04785d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuocAwog.bat

Filesize
4B

MD5
82596bc11887f7ed9f13577912e06471

SHA1
84a0aec3c6964f52209971ffb84285558f930c55

SHA256
6d5f6a3f57039aedcbe0c3df37aaa4eee326b9f6ceb806048741fec3abcecfe8

SHA512
364cd67f44e17671f083c022987c6161e6059841259d912177e57d408c166fad6ff1173021cc16194237b8c9802bab54c8f265dbfb4a029e239a518a4bf04ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgQIIEgA.bat

Filesize
4B

MD5
b1811af7b57f009eb5f4c402f64a97ca

SHA1
e68d555f1173a65c9da2ba2ee55b2cb1bd97148a

SHA256
ee81b87e2af4a6242f6938444a46b35fe6c782bbb44d5af969c3114a8a0834f1

SHA512
1c8ed8cc802aa862e23019c9c184e3937412dcb6bd3c75c68077c61caf8ea357ed1aecba41914fe478fb296d5c57592e8679a96e6b5a5c1c10c50afc038d410c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSwQQQQU.bat

Filesize
4B

MD5
f1fa8ae5b52f19f2853902750b68c926

SHA1
fa9c3f65c5f89cf8d5b00297d86e3fb9b920c94f

SHA256
35b455d13bff9288d9e0b6e6e8ffb700bb440313fdf6e3f970b442d43b14f32f

SHA512
b7d5901b374326b5ff56ed369cceb7cd7459267f42b6b220c772668b40e668d6678dd89b17b6a0ab81275e34a00211dd8abfb0d407e316d398229e3da8a1cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\meAcsEwU.bat

Filesize
4B

MD5
6045b1150d60fb6077296cbb4a1c8382

SHA1
ffeab66938a8e45be30d36b0d1a6f85c1a21c1fd

SHA256
ea35afdcbc4021c0ccb0d68292a79f912ca2c39b758bcb788009ba25f1ebe994

SHA512
4ef76d4be50da0e6e7d1e9da60212064d6009efbdddd70e43be5df14a6f0a191decbf4092d9f64d4fb9d0ee4576d46ab649704ef314046f5ecdf3e644fc3fdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\meoYggAM.bat

Filesize
4B

MD5
e7dd8f08d0f16d18f5f8fb1205315b67

SHA1
abe5bdd4852575e2eb96eb4d5b7291e88f0fd5dd

SHA256
1aabd6dbd847755112b07ce6a473df2fe44dd7330d19140f43df550795ca8a87

SHA512
a692affb501dd4900b77b9ebb95c82f3b07ce892e77cd84fd20eb0abc97b574f5885e7da0eb4a4163bde874acd77a6acb28670a0478a64154684cd3a003f5103

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsYkwwA.bat

Filesize
4B

MD5
692e06a669a74b28c2ac335ce54403ce

SHA1
49c5f7eb1a7efdd3da609d4ccc859cce3cf2d03a

SHA256
c90aa191582c9d2e87a4eb763cd8a0105dc95ce55976f2de745944fc3c8315fc

SHA512
9f15b7cafdabd0791c11773983025124e1cfe6a8144c5c772b7c5a2f3cac9f14338a1a2ad42f9ea6daa1999ed36b622b9f0546f65e439cf1290c3a50a493c5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoccAEk.bat

Filesize
4B

MD5
8bea4a7fa969ffde6b37eab4a26877b8

SHA1
de64f262c3a7645c2dea692c8775b9e7b4278102

SHA256
eb7cf2ec12417c984bf9d7f2070e2cb608a59215ed358d3a0e1f829f01ee03f2

SHA512
190cf812c3431f3b9a0ab83819aee3c1548a7d8285fd47fa725fa3abfe2401a97374ddb479a039803b93dda764b3fc9dde143ff4d2c2a89f2cb5f77496fc1f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nCMgIkos.bat

Filesize
4B

MD5
59f5b62fe40cbab9079d5e3a2743b07d

SHA1
9eddacdc56a280c9d0d7f4c939b6a3fe098e375d

SHA256
fd6c2185184d5b3c82334404b2c163dd553abf9dd0ecf4e029295819d0fd98ef

SHA512
a2ddb48adb17143a95e2ad9c0464fce2c13b6675ce4bac9a7b88cc66378f7b7df7de4fb08af936b33528263d5fb14c5adae1c83eab7e54505fee36d24284b1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQoAMAEE.bat

Filesize
4B

MD5
7103cff459f6b9ffda2ba90636a57ab3

SHA1
e8a3db7eea4b2dc57aabee9bce29a60c9b6a894c

SHA256
a04b6fc98da9f5066413bc9bb1950c662a5cf00bff3f1532abb48dc3357eb4b2

SHA512
69c92996729f84c5c519d239f8ec3bdabc050912c2717b2d9dcd587c681cca811f8e29cba8003a6806b9b717224d1d2444ea14d8eeec657f144d170928050430

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQscIssY.bat

Filesize
4B

MD5
facd241e5d26b2cdff428e96c2229da1

SHA1
01a758a749883ad0e0e713ce90707fe48eaee36a

SHA256
213659ebb595f8f23acb414c72f59cbc892e606b1c045a9b12bba899622db9af

SHA512
fcc75387c2e17e421f2629d735a0e09b5d47e71af554b5e13966ace4e4a294efebe2c946386fe5f10f876d2b99ad4eba2758b847373de0e1feb8e0634caacdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmUYwEMI.bat

Filesize
4B

MD5
af5dd70e183fa0ebb7abf3ce0c8b3e71

SHA1
18970370bb808f1dcf8559b90aac4e1393075f21

SHA256
2e9867971a02150c8d85d9ca07d44968effbc57134a311fd90fe4d0c7d417961

SHA512
f97d79d936c8968c275c9752b2b10d396f11fb218cc1e0d5ed2c541d89fd1c90ed9ca4be738c8973d64a828eb02b9a56c03fba778a00f9b35f180af1e63b045e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGoIkUsU.bat

Filesize
4B

MD5
cadc5ba8d5f75875c144b051d5baa6e0

SHA1
bf634c3e2d5bdadfbac711bd97cd1374a7b81a27

SHA256
75dc8557cc96f2aaefea131f3d225f8f2e9deb2a9f907291dba80885e3689e55

SHA512
49ecd4e4d27106233bdac3e82d62987d60905ec5836670ba7e629a88d76cd3cc142a1774d5f197780e3aec8cb0281f5ec2e32caa1cfb802dd7e9147d12b81ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSEUgsYI.bat

Filesize
4B

MD5
e94ddc414d414c6330a0a222b9e65677

SHA1
c8c73aaa5af8c3ee713b9ef1773c8ad426da8526

SHA256
cf7e52e4881e34d53fabe6caa86becb292e191074d9b4be2b929b70b55bdff8a

SHA512
312bbd50b711d36967132dfb55d0652d11cb98233f2cf2bfcd9584893d151d757ffe88c8fb4b1902166fa867a4d902482585005283d8595656c8db6361cfd8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQwEocs.bat

Filesize
4B

MD5
01c5ee1fa5936054a220041e2fc9c680

SHA1
4ee3b6120bc1a33d7cf87d38cb39e50149a2c13c

SHA256
f580f8aeb906f5d6fc95ea7a6229bbeacbe1a589f8ed98a71df2d21db156c63b

SHA512
da4305f549bf1e379e574719f3df9c57df05faf7ebfdb2b25659800ac24e6c8b3fed98a96c01df3e5bab479cec6708d9dbe80c3340eeb4647bf66cbf7da077eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSwQgMws.bat

Filesize
4B

MD5
1539712b383de6add369e57b71355a5a

SHA1
c8199177c397192f62b9c02472fe23c26844d2e4

SHA256
e8c73066f7df11e5f380a14c225765b06a0496cbe1a8c348e2f060f8f634e2dc

SHA512
3ca4d3bced21bb2d89c85f533d381ceab60dbac843472103e2afc78803b36bef47f2400eaf9513ed0ad3847fc4467375b1c635c9047645810f64f5afcafddd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqwwYoAE.bat

Filesize
4B

MD5
587b5c5a7899d8652cf24850a60e73e8

SHA1
b5c9804aca06e627c737e64d913e7e8fb34aac9c

SHA256
c5fd4e4f42fcf57c33f31a4142b9b72f95aebd609152535acc08286b330fba95

SHA512
72289aede8e0b320913079512415e5065b078f05d4fb02287a2b97b9a2f306425ea52aa173272feef01d7c0360692e401817fda87b0e713a951f446c1074ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\quIwIUEE.bat

Filesize
4B

MD5
3573f4360ac12a228c72b4dce2e16934

SHA1
b703e990a48e0fe594def71e06e3c3374e5ee5e1

SHA256
3e711bd5585fe61c8c7ea0eeba587d6868504ef91260aaa4e604cb44fd9c88c4

SHA512
d02b4c3d153dcec80d76fa6efd3071613ec6c8e0d6a43e1ae055aa8a8b173b4376da72460c9b2ddcd1bcb0933d5373bc1f12480ec8d3b5c74de936cbe9728ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAIwYYgc.bat

Filesize
4B

MD5
44ab6ca2974f91678e9d0385b1a95455

SHA1
ce6e056952d4b2b15ad91a285c3243d32abf3b88

SHA256
27e034873354941032e459fdf5b5c2b1c551b96a415e3b89ff52524ec6c1da5c

SHA512
356b83b81cd94682d6224683153adc06060da9aedd27dcc5436d424b851147b1c49c9c769706ec36c0865a927d4bf1d6bc9c788e168b306465436943ee8a71e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGwEgAkU.bat

Filesize
4B

MD5
5a22bad096b04ab3afbee03d0ffb6828

SHA1
14a37d7bd6c5d49a5d48abc687cc1ff2546e4dba

SHA256
9bfac875f51ec3fa2d276c0aaa1b1341ec45f50fe49cd64a69223961a41d4b90

SHA512
b100cd49f77b115a5b247fcf3f802e0f0267134244d999eba2c6a70013a8e4d2d3a5ccd7f923eb0308926be8560ed3263ceef51aa132a872d16b032c677f4c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKAQoAQM.bat

Filesize
4B

MD5
e50a718ed4fe79a3e6a6f0cffae9b6f5

SHA1
f185a4fc80567432c2091988c1c48bbfeb91b3f8

SHA256
d45c908693a5424d54c16be5f16c4bd264ee886614b19c8321da32c61d58f61c

SHA512
18b21225dd5e51b2b602c8a55ca9a55f4713a1e0bd7de64b503c8ccb3f749680b9227100ab0f16cb0b59c4a60d1cc9973f31930587f3579c4fb3b5c8b23055ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\skEcIkws.bat

Filesize
4B

MD5
fda5f838fc0663d1bc6df497827a9cd7

SHA1
609d8b8337fbafad88ae30b33323ede4c9a74ea2

SHA256
2245126839d138d70bf2308a2345356c239b98bb28464f94a3bc2f0cc8adae19

SHA512
a87c600d049e5b031e072f40ae25378d50ee763760cb66758e90324d5d96dfe843c9c2db87cb2fd9dbb0dc2ab7f69f6e9994564423dbf3e17bd3e921397043e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMcksMQw.bat

Filesize
4B

MD5
d8d6dc4bebfac3cb9c82c36533dd2d34

SHA1
f9c153a322e7de159869b4a6e929a23aae2def5e

SHA256
0fe244049ac1103b1185454bf9e1e8323f0f8d1177e1d0da39b6391655aa1f17

SHA512
5dfe25218469aa3a97bbfd20c5bcfd47d7a65657f668d1b29be12b7c3c42abd6a101368d6f8ec9a5516d4ed9ef4d2b891e5a590fed4d4a894a2ace71df778330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMgUQAgE.bat

Filesize
4B

MD5
830d265cf2d414491c1a2608453e8714

SHA1
25c15a589bb32818e9666f812a0262ec51acd942

SHA256
ab135d1b817ea2db3edc7bdc66697a7af4ecbc5d05e7d76460a4353f6fdcdc0a

SHA512
19c7bafefc9ebc6de7f85dad18175d7d8a5451d57d814d6d553dc91ac16ef0e5affe2a99abbe2d632ee6dcfbbc944ed38409c1d0d0f4404ef1b93289c9bcdcfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOEYIgMM.bat

Filesize
4B

MD5
73ad963598879fa4b7eb2a800aba1ab5

SHA1
22bbe96791b112a0bffd29d2739002d9d18c8309

SHA256
dc17dc9c82be32b6b1d1a52437b659a18c417c04cdeeb7ed0dde299201006579

SHA512
5cb476e1afb533cba13da996600cbfdcba7c8a5ff8807082d1425d21bf462a579a5d4da8dc9055a6d65a32cac7a9660e2bdcf0eda9967b0453992a84de7cdd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmsEsMwg.bat

Filesize
4B

MD5
aa2a2a85165cf05682daa9b197ab7e06

SHA1
d29f458720ad5b0793fd5404d0b25745b102545b

SHA256
3237cbeb7be44c9f1f4c4873dae5596559d28e2425474a6ebdfd7122ad771774

SHA512
e5bdc12b554867d0a7ba03158a971e43debd577dd88f7b02efaa7918fd578c452a323a4a9990e0e083687768e22562c3b7b5a9d8f2bccd962829c9c44120e029

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueckgcsg.bat

Filesize
4B

MD5
6b1b9319e87bf5287c3073e1bf61035f

SHA1
3ec780e7631ec419662a6816897c5480a0875de4

SHA256
5413d7816dc22a69caff00c38680f7aa2fee364fbe26597a8c353782e66a6600

SHA512
4e0d18182e6801aa9437830b201fa51cbcb9de565e6276a644f928bfb84859a02732a8ab4153e52aed02df99d37debd8793c1f3e6b3a7c55e74dc3d49c901fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaMkEIMQ.bat

Filesize
4B

MD5
034f06efbc72306db3e05f6019c25146

SHA1
ea64fb8e0c1a32f3752089740b07ab2f0b936a5b

SHA256
82222753ba23fe83195c93600b046e4185e20c389ceec627ab0517256ae5bf1e

SHA512
a0b3044311c0728af5b5fdf21dd116cc8c2c0e959c18623f51c2fac7110549b6997aa9fa99cbe59029d3ac60e2c84c409803a273e4918eee8dc66b99f3820efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMcsUkA.bat

Filesize
4B

MD5
2a57edb0b83d3ae56515acdc08806ad4

SHA1
c70273fe3831fc9dde2092cb6f826d696dee21d9

SHA256
8e037f93a4ea7f5b861080ec89f7dca9b389e6d61f04eda7e3b955105e2c95f8

SHA512
f80eccb9e4b13c943912156197eb196818e3baedec817dcc471a9bff88f025ace306ca8a39fa9f0080cddd7c91b429195c808e79e0fbb1448a32503b48107526

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiMcMMII.bat

Filesize
4B

MD5
eec987a33e8a883d71d2a2eb01102c23

SHA1
4074d4a4cca0b3b4c8df18fd31892d8c99f5ecde

SHA256
14abf5b83078d36082729881ae9c40794495010be7b0c985c117c5912f33745b

SHA512
e6b269b870ad0bd1698172e4b115302f1f2e7c347382533c7e8dad4e54ce2aa7496197b8fc4c0d8451036b9682b39d2b29cd90616c2416b830e247a720d8d69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiYMEUIo.bat

Filesize
4B

MD5
dc426526a3366d18a65ded1f6c364ed9

SHA1
8b85ae9c8d4fefccb9f941aa8073f01453a8d559

SHA256
a4a4f434cddf9474b5e1f6303d110f4be803c11b5b37ec7e3e31a1c1984b48a0

SHA512
503c772f582c8a8dfba6b714734b9300c9bb7c222ecb19be0d1da66f109de51bd0d7344f178a8ffd5fe4cc962cc74902fb4c8e9432ebc04d8ef743c0926dc732

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwgccIko.bat

Filesize
4B

MD5
30bf079fad81a430b6c413368e91ae22

SHA1
62622f288318bc494a2d5b9cb1a274091068facd

SHA256
c69be92d413f2013b16ed7b138887b070e5be06405c84bab81afd294fd02c27c

SHA512
337d99c9f9ae26ba3e00378663aa5dd43498172386fa3a940cf797252dec6760471b181bb4e20e44797abf1d9d0c2d6eabfc92cf3014223e696b6d51138a1038

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAAssooo.bat

Filesize
4B

MD5
7c3a53108c94b6222dc4a22ada11ef25

SHA1
9c1d74404fb95390bdcf04f5213acbc71fe89f5c

SHA256
47be4d864d0af1258db7ed0d23822e9de103d083c3ee80046c228629b91a669b

SHA512
198eb78effea863a231a3a334ebc9dc1cd9e7fcdf771305fbbd86a2a5a3d6ccfce568b7a9d91472a4ac541efc85f63a9ebff06812a915150f8ee611f5b3ea865

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqYUgMUg.bat

Filesize
4B

MD5
98efa69d5a8011a85bc6b0ff8d8fc3b3

SHA1
fd248703bce2b43b3feb0062b86da767b8e35c87

SHA256
691f5f6711eba3c4f443637efb886a0b3f40df8c3b7670846f2e3e10661433a5

SHA512
fd7553e053de39116adb1ef88f4d62e48a6145881a10d617b10dfdb3035404bc12359fc8ec8ca89d65923bfdfd8a863e1561004aa47c1d8fd04a47d710e9283d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMsUwUAY.bat

Filesize
4B

MD5
0abc650f655ed0d9c0d0286d59f952c3

SHA1
51109c6bb748b6e195dc842257bed6bfec37aa87

SHA256
1b66e9b2419c486e7ac38b6127963d4efcd5ac5a41add30b6b89156914f3ff6e

SHA512
8ff47c3414fa6d8a5f0f4df55a8d30934a85dd18ac11212e4f64c67da53154cff8fb9a2a918313a426032398d418ce6f193ec4ed2f63d76022badf7c7f4786da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycscokMw.bat

Filesize
4B

MD5
7908f7b933a5933b37cc71376049e831

SHA1
2627d6ceedcd2bc0f10450b3a0faf3c1d7d87f97

SHA256
665e328311e0bf46688b20f3e077fd9693b28ba73ff6eab87171e9f5fb60e744

SHA512
7a960287f9f2cc772e32dcc08093522a8dbb11980a11d1b2d7f9f1f6b08c2375d03f492966469a66963872e62d866360f52d0fa39c55ee873b9948c1628440bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMwkMoE.bat

Filesize
4B

MD5
ab5eb6be14a0f35b22180406ddda9ae1

SHA1
deb1ba9861e90c08e3a57f333086061083831414

SHA256
d01137061c0f2cafa249d1df896d3b9f60ec37b25de211696198cd272885f571

SHA512
67a7bc58d6352fae3a9cd1dd1fad27da27c69ebb1faafacb4c57f40f4be719afd5ba6ed85ec9be0203a83286720c7ec5119335f58d869d8c94bbccc1e9f7bab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgMMUQQ.bat

Filesize
4B

MD5
de9fe7b0d07fc5743cae6d3783f70840

SHA1
a8071d1bbc5f51ca45e4f5de02f3582650f2d622

SHA256
6af10aa0fc1b3bbe082a0fd8367f133256271bdabbbcc88c3a280785945fc72c

SHA512
a17f8cd5d448b3143bd91fce1af5ff36bb454455862498697e123efa22cbaff83d66d84385b9172947dd7cd3df063c97de873b6526d95bcf37e95280c316dde7

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\qqIAQwgE\vycIIkYI.exe

Filesize
2.0MB

MD5
76ed2d6a7f0acd7da786a6ad32603c02

SHA1
fdac283dc70179c1bbb1ed69933dd6ad3a464fbf

SHA256
fb434e52ac26f63099c50deeaddfd236b83a843225a3ad2187996ae55271caa8

SHA512
30ff2d9620b13ee04975a5349787a06e055c31484c142740cee9749bdae2dec41bfb83c3a5f489b332e46ab3eeb4615270de8a734ee21d2bde02d8e7c9e7190f

Download Submit
\Users\Admin\dccgQksA\qGoUwEYw.exe

Filesize
2.0MB

MD5
1998e865d3d36bf142a4f0632e1aeab1

SHA1
c8afdadbfafefa67b0c30968d04ceaa57a5d3b9f

SHA256
10dd7c5b34b5fe58b76a54b09ae6623af9e31e119eefa9587a9e36b4e29cae91

SHA512
3a0829f21a39c0ec58bfeb52090380d99e5013727887b469b2b1a96d2c957928ba63944e2426a7bb3aff6a78e1279682b2a003002b358622e3530dd11c6649d3

Download Submit
memory/264-97-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/264-96-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/264-199-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/264-299-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/264-203-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/264-145-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/264-240-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/396-391-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/396-257-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/396-305-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/396-206-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/568-133-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/568-237-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/568-279-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/568-184-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/760-266-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/760-320-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/760-534-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/892-317-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/892-254-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/892-161-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/892-67-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/892-68-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/892-219-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/892-108-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1012-306-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1012-642-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1020-81-0x0000000002080000-0x0000000002292000-memory.dmp

Filesize
2.1MB

Download
memory/1020-187-0x0000000002080000-0x0000000002292000-memory.dmp

Filesize
2.1MB

Download
memory/1020-80-0x0000000002080000-0x0000000002292000-memory.dmp

Filesize
2.1MB

Download
memory/1100-144-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1100-49-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1100-253-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1100-298-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1100-198-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1100-107-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1292-426-0x00000000020B0000-0x00000000022C2000-memory.dmp

Filesize
2.1MB

Download
memory/1292-222-0x00000000020B0000-0x00000000022C2000-memory.dmp

Filesize
2.1MB

Download
memory/1292-223-0x00000000020B0000-0x00000000022C2000-memory.dmp

Filesize
2.1MB

Download
memory/1360-94-0x0000000001F80000-0x0000000002192000-memory.dmp

Filesize
2.1MB

Download
memory/1360-202-0x0000000001F80000-0x0000000002192000-memory.dmp

Filesize
2.1MB

Download
memory/1360-95-0x0000000001F80000-0x0000000002192000-memory.dmp

Filesize
2.1MB

Download
memory/1420-132-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download
memory/1420-239-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download
memory/1464-285-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1464-572-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1512-150-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1512-201-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1512-300-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1512-256-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1512-286-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1512-149-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1768-224-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1768-183-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1768-278-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1768-130-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1768-82-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1892-110-0x0000000002150000-0x0000000002362000-memory.dmp

Filesize
2.1MB

Download
memory/1892-111-0x0000000002150000-0x0000000002362000-memory.dmp

Filesize
2.1MB

Download
memory/1960-302-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1960-243-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1960-242-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1960-495-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1988-323-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download
memory/1988-185-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download
memory/2060-220-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2060-255-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2060-112-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2060-2221-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2060-113-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2060-162-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2060-318-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-277-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-217-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-78-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-129-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-2-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-0-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-3-0x000000000040C000-0x00000000004B4000-memory.dmp

Filesize
672KB

Download
memory/2296-4-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-16-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-31-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-182-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-46-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2296-47-0x000000000040C000-0x00000000004B4000-memory.dmp

Filesize
672KB

Download
memory/2296-1-0x0000000000220000-0x00000000002D3000-memory.dmp

Filesize
716KB

Download
memory/2296-36-0x0000000000220000-0x00000000002D3000-memory.dmp

Filesize
716KB

Download
memory/2296-321-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2344-131-0x0000000002190000-0x00000000023A2000-memory.dmp

Filesize
2.1MB

Download
memory/2344-48-0x0000000002190000-0x00000000023A2000-memory.dmp

Filesize
2.1MB

Download
memory/2348-265-0x0000000002270000-0x0000000002482000-memory.dmp

Filesize
2.1MB

Download
memory/2348-532-0x0000000002270000-0x0000000002482000-memory.dmp

Filesize
2.1MB

Download
memory/2348-264-0x0000000002270000-0x0000000002482000-memory.dmp

Filesize
2.1MB

Download
memory/2348-533-0x0000000002270000-0x0000000002482000-memory.dmp

Filesize
2.1MB

Download
memory/2424-284-0x0000000002250000-0x0000000002462000-memory.dmp

Filesize
2.1MB

Download
memory/2424-283-0x0000000002250000-0x0000000002462000-memory.dmp

Filesize
2.1MB

Download
memory/2424-571-0x0000000002250000-0x0000000002462000-memory.dmp

Filesize
2.1MB

Download
memory/2432-186-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2432-301-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2432-238-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2432-351-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2468-226-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2468-281-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2468-462-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2468-225-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2472-148-0x0000000002010000-0x0000000002222000-memory.dmp

Filesize
2.1MB

Download
memory/2472-147-0x0000000002010000-0x0000000002222000-memory.dmp

Filesize
2.1MB

Download
memory/2616-324-0x0000000002010000-0x0000000002222000-memory.dmp

Filesize
2.1MB

Download
memory/2616-325-0x0000000002010000-0x0000000002222000-memory.dmp

Filesize
2.1MB

Download
memory/2616-678-0x0000000002010000-0x0000000002222000-memory.dmp

Filesize
2.1MB

Download
memory/2616-676-0x0000000002010000-0x0000000002222000-memory.dmp

Filesize
2.1MB

Download
memory/2708-494-0x0000000001FB0000-0x00000000021C2000-memory.dmp

Filesize
2.1MB

Download
memory/2708-241-0x0000000001FB0000-0x00000000021C2000-memory.dmp

Filesize
2.1MB

Download
memory/2856-389-0x0000000001FC0000-0x00000000021D2000-memory.dmp

Filesize
2.1MB

Download
memory/2856-205-0x0000000001FC0000-0x00000000021D2000-memory.dmp

Filesize
2.1MB

Download
memory/2856-204-0x0000000001FC0000-0x00000000021D2000-memory.dmp

Filesize
2.1MB

Download
memory/2856-390-0x0000000001FC0000-0x00000000021D2000-memory.dmp

Filesize
2.1MB

Download
memory/2908-163-0x0000000001F40000-0x0000000002152000-memory.dmp

Filesize
2.1MB

Download
memory/2908-164-0x0000000001F40000-0x0000000002152000-memory.dmp

Filesize
2.1MB

Download
memory/2952-165-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2952-319-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2952-221-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2952-280-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/3068-303-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download
memory/3068-304-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download
memory/3068-640-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download
memory/3068-641-0x0000000002030000-0x0000000002242000-memory.dmp

Filesize
2.1MB

Download