6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 22:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Size

116KB
MD5

1bbc0b2d05e142a54b1174e4faf1cc02
SHA1

9c3ab35422d4a9a684fc31917889a31487396cc2
SHA256

6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
SHA512

957abdc5d1b0c2595f0e7f74ae76eca0e7b04997e33eb8623904976c247a98de2e0c015eedf9b7b40939b5e8dc7ff1da9a069b1bd86cc0d76a4e0f332bf76da5
SSDEEP

3072:64JwqCUE0YsSc0o0QE5aTtbcfI9YIoNEs3Nlh8v9wsXV:6Iw5B0YK0o0QEkTtbcfI9YdEs3Dhmw

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	nykMoscM.exe

Executes dropped EXE 2 IoCs

pid	Process
4148	nykMoscM.exe
4724	nwIIQcAc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nwIIQcAc.exe = "C:\\ProgramData\\TOMEwQUc\\nwIIQcAc.exe"	nwIIQcAc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nykMoscM.exe = "C:\\Users\\Admin\\TSQUscks\\nykMoscM.exe"	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nwIIQcAc.exe = "C:\\ProgramData\\TOMEwQUc\\nwIIQcAc.exe"	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nykMoscM.exe = "C:\\Users\\Admin\\TSQUscks\\nykMoscM.exe"	nykMoscM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4732	reg.exe
2824	reg.exe
2856	reg.exe
812	reg.exe
1824	reg.exe
952	reg.exe
264	reg.exe
4632	reg.exe
372	reg.exe
1820	reg.exe
1904	reg.exe
2488	reg.exe
4980	reg.exe
952	reg.exe
1656	reg.exe
4884	reg.exe
2488	reg.exe
2692	reg.exe
3084	reg.exe
1868	reg.exe
624	reg.exe
4272	reg.exe
932	reg.exe
4060	reg.exe
3512	reg.exe
880	reg.exe
5020	reg.exe
1336	reg.exe
1576	reg.exe
1624	reg.exe
1584	reg.exe
4764	reg.exe
4728	reg.exe
4036	reg.exe
1748	reg.exe
3652	reg.exe
2440	reg.exe
4980	reg.exe
1636	reg.exe
2464	reg.exe
1564	reg.exe
3808	reg.exe
4316	reg.exe
4472	reg.exe
3700	reg.exe
2888	reg.exe
3772	reg.exe
3956	reg.exe
456	reg.exe
400	reg.exe
812	reg.exe
4256	reg.exe
324	reg.exe
2676	reg.exe
3752	reg.exe
1952	reg.exe
3052	reg.exe
64	reg.exe
4412	reg.exe
2824	reg.exe
4272	reg.exe
2532	reg.exe
3312	reg.exe
1400	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4848	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4848	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4848	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4848	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2124	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2124	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2124	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2124	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2996	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2996	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2996	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2996	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4276	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4276	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4276	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4276	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4576	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4576	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4576	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4576	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4592	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4592	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4592	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4592	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
5076	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
5076	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
5076	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
5076	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4032	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4032	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4032	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
4032	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1948	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1948	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1948	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1948	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3516	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3516	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3516	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3516	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3748	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3748	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3748	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
3748	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1752	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1752	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1752	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
1752	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2344	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2344	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2344	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
2344	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4148	nykMoscM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe
4148	nykMoscM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4148	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	86
PID 4780 wrote to memory of 4148	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	86
PID 4780 wrote to memory of 4148	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	86
PID 4780 wrote to memory of 4724	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	87
PID 4780 wrote to memory of 4724	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	87
PID 4780 wrote to memory of 4724	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	87
PID 4780 wrote to memory of 2608	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	88
PID 4780 wrote to memory of 2608	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	88
PID 4780 wrote to memory of 2608	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	88
PID 2608 wrote to memory of 952	2608	cmd.exe	91
PID 2608 wrote to memory of 952	2608	cmd.exe	91
PID 2608 wrote to memory of 952	2608	cmd.exe	91
PID 4780 wrote to memory of 1868	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	90
PID 4780 wrote to memory of 1868	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	90
PID 4780 wrote to memory of 1868	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	90
PID 4780 wrote to memory of 1108	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	92
PID 4780 wrote to memory of 1108	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	92
PID 4780 wrote to memory of 1108	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	92
PID 4780 wrote to memory of 2676	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	93
PID 4780 wrote to memory of 2676	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	93
PID 4780 wrote to memory of 2676	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	93
PID 4780 wrote to memory of 1756	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	94
PID 4780 wrote to memory of 1756	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	94
PID 4780 wrote to memory of 1756	4780	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	94
PID 1756 wrote to memory of 3156	1756	cmd.exe	100
PID 1756 wrote to memory of 3156	1756	cmd.exe	100
PID 1756 wrote to memory of 3156	1756	cmd.exe	100
PID 952 wrote to memory of 3512	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	101
PID 952 wrote to memory of 3512	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	101
PID 952 wrote to memory of 3512	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	101
PID 3512 wrote to memory of 1196	3512	cmd.exe	103
PID 3512 wrote to memory of 1196	3512	cmd.exe	103
PID 3512 wrote to memory of 1196	3512	cmd.exe	103
PID 952 wrote to memory of 4032	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	104
PID 952 wrote to memory of 4032	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	104
PID 952 wrote to memory of 4032	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	104
PID 952 wrote to memory of 3372	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	105
PID 952 wrote to memory of 3372	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	105
PID 952 wrote to memory of 3372	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	105
PID 952 wrote to memory of 3300	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	106
PID 952 wrote to memory of 3300	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	106
PID 952 wrote to memory of 3300	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	106
PID 952 wrote to memory of 4436	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	107
PID 952 wrote to memory of 4436	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	107
PID 952 wrote to memory of 4436	952	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	107
PID 4436 wrote to memory of 1380	4436	cmd.exe	112
PID 4436 wrote to memory of 1380	4436	cmd.exe	112
PID 4436 wrote to memory of 1380	4436	cmd.exe	112
PID 1196 wrote to memory of 1540	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	113
PID 1196 wrote to memory of 1540	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	113
PID 1196 wrote to memory of 1540	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	113
PID 1540 wrote to memory of 4848	1540	cmd.exe	115
PID 1540 wrote to memory of 4848	1540	cmd.exe	115
PID 1540 wrote to memory of 4848	1540	cmd.exe	115
PID 1196 wrote to memory of 60	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	116
PID 1196 wrote to memory of 60	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	116
PID 1196 wrote to memory of 60	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	116
PID 1196 wrote to memory of 4964	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	117
PID 1196 wrote to memory of 4964	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	117
PID 1196 wrote to memory of 4964	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	117
PID 1196 wrote to memory of 1748	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	118
PID 1196 wrote to memory of 1748	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	118
PID 1196 wrote to memory of 1748	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	118
PID 1196 wrote to memory of 3732	1196	6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe	119

C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
"C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\TSQUscks\nykMoscM.exe
  "C:\Users\Admin\TSQUscks\nykMoscM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4148
- C:\ProgramData\TOMEwQUc\nwIIQcAc.exe
  "C:\ProgramData\TOMEwQUc\nwIIQcAc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
    C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        8⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        10⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        12⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        14⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        16⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        18⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        20⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        22⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        24⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        26⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        28⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        30⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        33⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        34⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        35⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        36⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        37⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        38⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        39⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        41⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        42⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        43⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        45⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        46⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        47⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        49⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        50⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        51⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        52⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        53⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        54⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        55⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        56⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        57⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        58⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        59⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        60⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        61⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        62⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        64⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        65⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        66⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        67⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        68⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        69⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        70⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        71⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        72⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        73⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        74⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        75⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        76⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        77⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        78⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        79⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        80⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        81⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        82⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        83⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        85⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        86⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        87⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        88⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        89⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        90⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        91⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        92⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        93⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        94⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        96⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        97⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        98⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        99⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        100⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        101⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        102⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        103⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        104⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        105⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        106⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        107⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        108⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        109⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        110⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        111⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        112⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        113⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        114⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        115⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        116⤵
        
        PID:1756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        117⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        118⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        119⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        120⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        121⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        122⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        123⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        124⤵
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        125⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        126⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        127⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        128⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        129⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        130⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        131⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        132⤵
        
        PID:880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        133⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        134⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        135⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        136⤵
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        138⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        139⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        140⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        141⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        142⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        143⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        145⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        147⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        148⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        149⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        150⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        151⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        152⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        153⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        154⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        155⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        156⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        157⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        158⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        159⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        160⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        161⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        162⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        164⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        165⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        166⤵
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        167⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        168⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        169⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        170⤵
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        171⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        172⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        173⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        174⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        175⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        176⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        177⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        179⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        180⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        181⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        183⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        184⤵
        
        PID:1204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        185⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad"
        186⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe
        
        C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad
        187⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:4784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCYckgQg.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        186⤵
        
        PID:4088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIsgwIcI.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        184⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKYIcgYk.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        182⤵
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saYIosUw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        180⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQkEkocw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        178⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsAwUoQE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        176⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKkscggw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        174⤵
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOQgwQMs.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        172⤵
        
        PID:1196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSYEcUgE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        170⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMcAwYoI.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        168⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwIYEsoA.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        166⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysAUQMIU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoUYEscA.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        162⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaIoEsIA.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        160⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqwMIsQM.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        158⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSAEkEoc.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        156⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwsgcgoU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        154⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcIAEYEA.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        152⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAUYcIUE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        150⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKMYoUMY.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        148⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgoAAEcc.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGMAQQAw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        144⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWcIYkYo.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        142⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcEEwYIg.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        140⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acoYcAos.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        138⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyYcYQQI.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        136⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmkwsIcM.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        134⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOAMUYgk.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        132⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKswcQYY.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        130⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyokcEEs.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        128⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:1820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMIooIcU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        126⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqoEYYkE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSsEQYkU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        122⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkoUccIE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        120⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSsUoEEU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        118⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuMoIowc.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        116⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYwMQggE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        114⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gigQgcEU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        112⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owoMooIs.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        110⤵
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEEAEcI.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        108⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsMYwMUE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        106⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIoQYEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        104⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foAAQwks.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zawMEMUA.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        100⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msggsgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        98⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIsMUQwA.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WigwEEwU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        94⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMgAgYQo.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        92⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsIwIEEk.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOcYscEM.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        88⤵
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LioIoQMI.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        86⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOIsYoYc.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        84⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuoEMwUM.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        82⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYIYckUM.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        80⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vooIQYEI.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        78⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiAYUEYE.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        76⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQAUgkAY.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        74⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkQYkkko.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        72⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKkkcYgo.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        70⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgkkYswU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        68⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKoIYgow.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        66⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmwAwYoY.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        64⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuMwAIIY.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        62⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmsIwsUU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        60⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkUskscw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOkQAgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        56⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGoMwAok.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        54⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEgcEYYg.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        52⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aogEQQgM.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        50⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xesEkIks.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        48⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWEUMosc.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        46⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSUUMkAw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        44⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weoQYMQo.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        42⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAokwQAs.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAssoIQk.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        38⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkggIIsg.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        36⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DywocMQo.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        34⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuQYgUwU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        32⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYwIoYks.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        30⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGMAwIQw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        28⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWokAokQ.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        26⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okMkcoks.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        24⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWUMYIMU.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        22⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaEUUYgw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        20⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUAIwgkw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        18⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGwAwoos.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaYAAcEw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        14⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYUkIwsw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        12⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIMAMAEw.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        10⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwAYMYIk.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        8⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1412
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:60
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4964
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:1748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgMoYAo.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
        6⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4032
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkIYwwAM.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1380
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:1868
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1108
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSocgAIY.bat" "C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3156

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv HBfU/xCNlUyLCxqIDp2D6A.0.2
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
141KB

MD5
f381e1948d5b0048534369904863d692

SHA1
87f500a0eca19f92bdd44dbd4f7605d4e90038ea

SHA256
cc148eb00c39657ce19244b663b16b025ce52eb0e44a1fd2a6bc5ae78aa07ca7

SHA512
fdcad7bd2d258d134c9c7266163e264be2fb4afef831fe2f4fb3b9fa72d805d732f8a3da248605f1056dc077e4113c884a000e16eaab468d80b163edf2b2221c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
139KB

MD5
a631bf25a91d222d0563053033b30d6f

SHA1
cb05e71e3e7cff21ee07d7c215f73684b310167b

SHA256
0cdced01bc37ff345162fdb7780c67b1078248fb6736895d42305146e755fbfa

SHA512
9783d6b384584e8bccf304de82c1c20dc38f3fc559c71e2d63c189b1614b070de9047149cd2fc4fcee3e228763019886c238768c11df293bb89c2f0d0b340575

Download Submit
C:\ProgramData\TOMEwQUc\nwIIQcAc.exe

Filesize
110KB

MD5
34433cc77fc5636d8916c061bc09843e

SHA1
9233afa7e1954a1fe500baf95bd5b0f34c227c3c

SHA256
324f9b15b5c5a520337dec0ea3b17509dc667c585532ddae36297f20052dcf1f

SHA512
334879be31a6b5d2a54528b73bc9ffd2745bf9c872de675a80a808876af7fc514ac889f828aca1211fbd0d2d349e4452c3a54dec8c9fc85c03e628cfd7279b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
117KB

MD5
1413e41bc3d77fffa0fb58845cf28699

SHA1
26600c0bee3ac302eb85221b33a4e1eb0eddc76f

SHA256
bd32e0a2ae2769050eea5576f2ce0139dcd4a0e83949abda15a36e440c0d5d6f

SHA512
bf2895047d66270dbdbcd703a966419873031c3d224c0caa3fa409e388b234581a17360450e4614ebd03edd87d759a961308d335589222731ccf538143b6da88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

Filesize
110KB

MD5
a9b44a793d7c42a4f4cd706ae31ff4be

SHA1
5875fa35b133c9641877e821e4c1fbcd5293d6b5

SHA256
2f7e612eb532847672679570543e9036c18e5bb81a7728fd2253b315df7987d4

SHA512
2e23599400f0b7a2fa857f13367093dcb424069ab49c44596eaceeba3e2070b1fe4cc915cada19df4986da3969b61c22228031f17a2f37ec9fdf362b060a8b8a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
112KB

MD5
39e209823fe763dfb88b2558557b5fd8

SHA1
aff8589260aa157375f04110a50b918a0d9ae5df

SHA256
34ce8c985c2eeae88962c14d451974840fa17c5b4d6302f13b29337051cb19cb

SHA512
d09d22b7fe94a3179521739d42de8d9f36b8f6282dda1578d220d0733aa873e39c233b740bbe9f196e0ae81c336baa9e1b8c766c55efb781f8aee38217f77081

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
111KB

MD5
dd8cfeaf195d07dcbae68f3f6a77a948

SHA1
2f56a43f4b8dd2f46027a4968a3f7dd41266cf0f

SHA256
29865480cb21e8f2ae1f89211405ce69d91e602247e27808d69f4b4b5688a61e

SHA512
e32d7b6baa4f29166ae22662fa5e7d7100629421c52857b6fb2daf3c26ca0fedf752994ddab0d51e94108e46c91818ce880670b0bebf1b83b3d20b8d3f724a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eaa1ac01d9e7d7bfd230b5ce09625bd1bd737c47f417ac1745d9d51c91245ad

Filesize
3KB

MD5
996bca7579b605c637c11bc015df9cd8

SHA1
1bd949caa1355a76930ae9139ec5ba91a1e57c80

SHA256
a2a95214b439d3fe8b80d43520e2ec8b8cc643f678a46f53e0b354542644de1f

SHA512
aace127a0af196444b272000b4f085bcc15cbb07b3b4b8a31a6895e3df791d17a3ee457ffd29ad7f565753dc38600cd55f9fdad3ebc883ea26470af41c8431c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQMU.exe

Filesize
696KB

MD5
8f8c5de8ad8920f6610a833e7a355b3b

SHA1
35650d3418e9472b348b9748ba6cbab521b347ba

SHA256
05349ab490403df2db3e3a82a31bb23beb1d0e77be97003ddd20b2219dc5bfd6

SHA512
2d2a234f3845b0367a8c9c6b0dc52c87a43cda9436385d66e9e15ba5b55ab4c89b536d829053b3f47c7e49eeb7cbf45dfe64db1352c1697d5cfbd0bedeef61c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgo.exe

Filesize
555KB

MD5
901db9ab0a8edc8179f2bcaadb0d6c00

SHA1
a78824d489edb92240a0a3bb1db8a1b43c1e46c2

SHA256
18e13653e6a432f2e9a9cf9fc2761917ac20dce4786f05fe62e426412c3a6ac2

SHA512
8e7d24c177e7919d6b79f8f4c6f42df11b54bef30346a0c2fd7f60680ea85a6cf064b2bc3adac9042a300b6385b90dee5248ed251fb59fe426f5b4a97301f325

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAy.exe

Filesize
118KB

MD5
201564a2aa044d652fd24c513a787a38

SHA1
85d9e41d23d4539a418e72987d40d241de25b896

SHA256
dd749e3fc38770ea732dedbdd133100e781b7c60b4360e9d31e0a365d18161af

SHA512
336b0fc639c387c1e852ab90e7598058b419c5a778b68ffb8bf55762b001c1d5438f6139baef2ca770a918f05603dcb5363f6065de69c99198d682b00a9593a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokQ.exe

Filesize
822KB

MD5
fe6fc7d255c9d7559dc1c5f7d82fd66a

SHA1
399dfd5a65526b455d34174751fba7047623d916

SHA256
ceb2abb3e9ec2de94562f5cb7fb55b90a9adcae0dc2222c887a8b3d4a750783e

SHA512
dcf4ee43d073dc3ec11ef779001734692090eee640875887ff3bcf46c24e9172c559ad8d176d267f848d35067a3354c906e12eeb085af16babef6730d9c5aad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AooK.exe

Filesize
112KB

MD5
1ef6583a9f5801a8292d32fdb9528351

SHA1
e22844ae2b7af7274490924bf1e42f935f7bab54

SHA256
fea9f8ca3d3af0c5fba20451975dbb082ca5fd8be819a77a053ed6cb009bb16c

SHA512
a0c9a22d28b14843a38738ecf3e0fe9d69bca152cadc5db383532f49b5a6757981dc8a859db7f36a1276458b821871c327ba7a9eb2f1d8376a281a0a3a358e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aosk.exe

Filesize
113KB

MD5
6a3d2bdf0c4ddb12dafada228c92c0db

SHA1
a4cea9a91bd87d1d161034efec68ab2922eee2ad

SHA256
e7c06ef67f622d6ef915fab55e8e26910f61ccfc72c390dcf2661e56a4b6ff3b

SHA512
4b1aff58cf0bb187138cbef1a66b9f6b82f1eab172613aea9c58ac8c09030dc4640eb945f6e835c714dadd1cec998e4532b8597bf02e0e060fd6410cfcc63f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQq.exe

Filesize
115KB

MD5
22333b0de5763204fccb64156101af45

SHA1
acd4a662f4a9d072fd8d3962d6a5f5945bca4ca3

SHA256
0880a2aac62a37a681d85db6f155c11b88f4170824a16e0496d540e97a95093b

SHA512
adb2ae424d1beffbcd23fe6697b3d7522ba2c4989df6ff1add7f5c431fe6c58e4f5ed81f260d27644e4472faed60a673160fccc83fd1997c1c689cf2525c5872

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcAy.exe

Filesize
153KB

MD5
ac73054b4ba7d655354da736ceecc237

SHA1
63441364728424c621b1f9ba90b038901ec9706e

SHA256
a5ecd6ac1b68fba8aec0beb880eb43c3f9da520e30c3b58792d4e0aadb42b54d

SHA512
ae3a5f11ca461985219d2268a23903311e69a5f633a73a48ced9167ee6063b2af6ac1d19f4c8fd3dce276f9dce92c356c11052e31a0fb3b88bd317cf7ee795f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcYo.exe

Filesize
118KB

MD5
859f7b2eb16b8be1780de475281b50cf

SHA1
7d81d396a3ad252764309dc2c49ab086d1bffe3a

SHA256
067cae5d37220f5ba65f993a3813f4fc7f87e02c01997ba09ca778ff79cc480a

SHA512
5971442e89116c263658c55a55e4722ab4d91f92e4bc626911e919166ede68eddebc9769a0014037887d78883b74ba649cde237d95f71f3c68053fa5593f36fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkQs.exe

Filesize
555KB

MD5
58df4a77dbbf847c041e4da44036a084

SHA1
47b01f28773347bb76783ca727099fd138f9dd18

SHA256
27d38dd4e4f962f36d3ca295dbbe2ef559831c680f12e2d0c3dede37b6c809fc

SHA512
71ccbf0e7652a12393844cd4921b086c83162bc8907a45540451cd26098b52f66decfb8b344a2fc7f493ed7f9e6bb6108cf7c182e83075469e43fbce53f1a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMYe.exe

Filesize
114KB

MD5
21fad328387db65a6b8f3b019a77a2f5

SHA1
c31de646e87d49da31bb000d4a8d6587382411f6

SHA256
760beedadb963b3fd0e5c5620b94f11d0f68c11423061b5d05439cbafc5b3fa1

SHA512
edf1c44b1b65620af421dd8326c5b47c0b891cf8ae2c8c25d9384381ab12a383321d22bd1ea465555327c63d4bae674326206da092177231f01b72cc6384610d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMcQ.exe

Filesize
118KB

MD5
9af9e6d30325cfcec0e61bb39f8d098e

SHA1
a1b62ef72a033dfe4cbbe52e53619c0167f0988a

SHA256
c790d89b021bbb8aada20b247d909a016b9729167e1a7dc0714de5582068c940

SHA512
62b259d2e0bcebb949027860642451784ea7345adb87374837dfb6f175377cb9f42bdbe159852b7b83bfb0cd3816e655704ae1b814c478f7c9873cb3b256e852

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsA.exe

Filesize
115KB

MD5
f841c06b6a8ad6ece27a03a8b62c69ba

SHA1
f26257f4d7d304044dedf6be280b4f7c2c433988

SHA256
3bf193ab0ca10696682e181867c9c12fdd9302f5cfeff953f32e40c8961294cc

SHA512
c57e6edfbd7669852575358f71400c34ef30f01b6a138124bd69f3d090e0a5914635fae0f1dae16e9b39e2a51990930197da44af9d69d7fdf55276e8c5d08f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsMm.exe

Filesize
493KB

MD5
4e7472fdfb22f385a234935348f12a33

SHA1
8fc69a35d5a3bf226191954dbc659ff453d2124f

SHA256
d07dfb95b00e2792eaecf6bd2237c86f4caba2048f18d74ef0738d08c970d444

SHA512
b1bb2fbe7edfe3013459d7e3f2f855c24a3bb945f7717374329f67bd4b8d42f0660b6c6eaf4af7b5bfaec2496a4e7ee40699a8c514179bd6383c5c602edd9088

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAwU.exe

Filesize
111KB

MD5
6980bb3be61e0ce383b92fe945f74fa7

SHA1
aa0df86016da25c4afd7830dd80ae6b4a8c5b345

SHA256
f65299453692bc6d5d8a584861f31ab36ba4734e679f2087057f8f794c274b2f

SHA512
281fbae81c5b27ccc5e26eb9439c87091d518add0352669e0bd00f7110888911b0229b86b8b59a8104d4c771de9e66375e3648074f940946724df7adc88a6abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEwW.exe

Filesize
862KB

MD5
b0935f6176e49ad4ccbf638360b5a33b

SHA1
779ad98fe94c0089d3992e338193328b76d6a5ce

SHA256
f025fdd595bcbc150bb898f3eec5442c7a98ff84c9d9e65569570704dfed2976

SHA512
61d85fa887d26dff08c8f49d8de6a37849dfc4581852d46e699cf90248be3a7f2817cf0d1b8650e3c8db2ab5dea87ca26e0be5652b682659921c376b3b67a2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMsU.exe

Filesize
116KB

MD5
88eb46be22272d005e2d1afd4df84e52

SHA1
843b9093b14b817764e41a7546980f2c59ae4319

SHA256
5f55dd2d54d6396ae46ca4f90c7b0d27aa9efee0a992b694802ad5172a077045

SHA512
76c01612b1328d0caffad3a5e7172bd4e7f7fbb4e0a74d5ad5e6ec05da95369b2d7b8e7ea47fd5953b23a1efd51fd803fc35e0decf663994fdf2e5f974e2c1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYYg.exe

Filesize
119KB

MD5
15a1d3d42babd85c80e0f2fccf2de011

SHA1
2c5bf257a6c4fbf1dc047b07bb9781424c1bd25a

SHA256
30a72b06e84f999a07b19159db89bda30ee2ca524b6a1cb70ec88350a706d143

SHA512
2b26cd17215f8c602a18a230dede8baa24c63d1b0eb42f9da9d3e008cf5622b2389ad931ae25fc1f0aea9df01a96db25d6b3ea4566ca32b4d100b99f20775a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcMi.exe

Filesize
746KB

MD5
d0ddd1a30033b95e63c79b9afd862621

SHA1
66e98fc24b9b28fb57f04eaef38a8f42b8f71983

SHA256
57048e46aaa3c2f6c2a6140927e16aeb98c9707cf5e8383bbab11d2c6a17dfca

SHA512
9caca438d541938dad4bdd1d45b5a2131e0ab0f4397eaf4a0f583d1f157b18b837e0374d6ee76621ec33a31c14c2785d2e440d6218cbbff489c554140e828233

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIMI.exe

Filesize
110KB

MD5
d4b475d16a820693bb101f1113bcb12d

SHA1
8d8f68123f460930c729640ccb7bc17cbb12eb5b

SHA256
55821b29c225edf7eadbfa912f5ef6e20e9c4c66acaa6d906e1155db9005d347

SHA512
b9d5d1151574be9911668cba0d8e746f16890f3ddad46c38ab52164e8419094fcc8b134fcae69d2db60c3ae5733befc32b6a2dd9522aaeb93772c25e1985ac98

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMgm.exe

Filesize
119KB

MD5
dfe294076b50ac79949b176f98050d4a

SHA1
14b853483f195042f1ce468a279b0cca4aa0fb59

SHA256
72bec814422f9d22b967e9b438aa2c881eade3d843599fe1792cb41197fd97b4

SHA512
17df100ba30da6e46179088811efc8842c9a429d6f760d9ebe1e7edcff1a41f6d7f2a724b88d37dc489679d74dd1c4b217d8b72dcb119f87d6fc4c91233b6d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQsQ.exe

Filesize
116KB

MD5
d0302c7a63ce6062756b1dfe630639b4

SHA1
69f3a3d5f06fc67ac9137d2a80df8400cfec3e37

SHA256
be8957e8a4ecba14ee2f6e0801f667da87a894469bba4bc2678ab6f699388b12

SHA512
f08799b7e9ad3e55e55a8cf6497004466c07422ec696f3057fcf66c2f51c1a6b8abf4fe36adb1dba18dadbe677837ad42fb5462013af19798b74c2e4e81eeed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgAo.exe

Filesize
111KB

MD5
072d9e978992f13efbda92fbdf125e96

SHA1
3d0728b454628ae0047492cdd55ecdf25ebfc58d

SHA256
b2b7579d802377c21ea761be8c4cafe2ac093e42eafe3a73360a8236a894729a

SHA512
bd9ee9273ec62876c35a5dda7ccc27afbe7f40fb888c10c50d222c924e04eba11128d596c1fa7e8c288f444f8c18650016c47f62f59facdc04ea5c5525a23306

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgUw.exe

Filesize
118KB

MD5
1bc780c15b86211a6b97b3d69e9dece8

SHA1
992b069bd2e3ca98740efbd1aa66426142f6fb05

SHA256
c104fb4683a3d34e8069d5f8c3a3769e2b2e1157ca3df40e3a14ece4693f1b9d

SHA512
9040cbb4c4f9b08e594d4ec7d58284a2a3c55aa989b29c399a022f12fe01dd5324bde415bbf8f76d719cbd9fbbde29653a80215c0ffc563f2e48bd86caa77879

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoIQ.exe

Filesize
149KB

MD5
e8d70d579c1bb05872c47fb1973c750b

SHA1
3bcfd5ae1f5d1a36807f8d7dcee7beb95577857b

SHA256
561192859160891d494ffc3fc67b98b7b89813aac68a95a247be0c983d2d7330

SHA512
d7c7b0737c455264bab64e2bc8f58f943321efbf06bdf668286e86fde46d791bcd5882e205e8edf4f03b35cf401e8d756241eb8a3492d4ef681147878fd2893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMY.exe

Filesize
754KB

MD5
68f6f5e5c46781c6276fe91623d0b10f

SHA1
47bc94d67e614f9cb0b288b224245540c2955476

SHA256
ac5a8b55052396beff69c1abb036b2aa25018a5fda822bbac161b84a14546abb

SHA512
20fa6017360e00bd91ddf8d6dd3be77334fd3d23d04994f41d01fd97250eeff56ad0d4eea12ae4d05b53e711a72d03e1e424e84664080baf8a890c6459c18ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwcc.exe

Filesize
111KB

MD5
cbd68ac68bc41fec3fc6a28bf3a5d1ea

SHA1
5d30e770acdefca8b9773fb89ca1c7da87a92946

SHA256
b16b3c27bd9c95995c02612fd8681a3db9ce4e8e093db4a30c17b781c89c3650

SHA512
f86744294510321e7fd1adeca9d51cb04d782429003f5c07b8d74971ff30cff94cede686ee0756651652892611aa9942e75f194df93c53cf62b7f4bb656e2396

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwke.exe

Filesize
110KB

MD5
4d8292ddb67adaf93e5528e8ae0b53fb

SHA1
e39cda9e303991605926320e90a57238ba4f3791

SHA256
8f7ce486c57c5ae737bb48518ed248dc5420fafa97b0e7a2e91686743b17d4f4

SHA512
590e8caba15d957519ad491027b09ecf6bf08e4393cccb994efacc65617ea9f25f3c05e552337cea20ca14c0b7a7daa77332247c882cc95d2ff6236494965955

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAss.exe

Filesize
111KB

MD5
6efb5798c7bb262e2c9cf844fa59b738

SHA1
5b1c3f4cd0e8e504034482f2e7e21cec436c88bf

SHA256
ba8cf7f49acd6dab1b6955e6cd176f831a05aae137d1540d698da0aad67f3c6c

SHA512
0a2be7981f4ef67fa943a1993a323e81bada1b92b21f967b350b900398fb8fae2648be86cd6c10d08c3cccccd63e65bca60c51138a150bf3ef2ace7238712aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUAM.exe

Filesize
111KB

MD5
29323e59aa5a8d7ac6a9569c01883fea

SHA1
584322606fd541ea23888e3e521c43a6263e14ba

SHA256
2621b506fbacb12bc565f5dd70726c31f9973cd3d83eaef5dc5d8a23378eb523

SHA512
f931d34b7e0d82014029a6662825a816b562c68f64a1fd06c3769a68c0ba1f4001c7d31cb261677e7f7a5b370049d0891ca26e002e8d8132f7b82198f4f07c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUYA.exe

Filesize
406KB

MD5
c364711374c1f5f3b4eca3567dccdc8e

SHA1
146178575f82e8c6b3afc2b79b1b02f32f694b92

SHA256
5f1ea9cc3ae44a23ee26af7f076318f5e8d2c15ad3840e11767ccfca5b733242

SHA512
12cfdf5588bfde53356c906895b2c58114a124de87e04eba242dc86ab0e7ec25e2ec127685ddcba45fe3946473a82d804413ad975f6637fb6dd9308e2135a9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkUk.exe

Filesize
112KB

MD5
92346d4fdbd90a866aad96db8edcf740

SHA1
b760eee617d7c578a8305eba8bf827d6d15e3c0a

SHA256
9acbfeb20e68b8e47c10a23d1ad7a41f3f34e59f6d0e188c19c42f33a561b0c9

SHA512
bba51bf5c476cb3807ecd8cbf7fdfae96f7e2024f08b278b8dca8abf431fe00ea974355240b4e64f9cf257c04e537341988429bd2487a16d7684f3368f2fed09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Moks.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIgO.exe

Filesize
485KB

MD5
e2e0ac831ff8055cb8bc7bf9d704c945

SHA1
42ae22502d2dd91b173a734b183e57433b43235b

SHA256
287c06d8447f882066dd9b918629af17df6bfda3f18ee9e3486ad346210e94ad

SHA512
3595a8436de8da34d2c7c9a7d0135901c0f6c8abe0a8f1d782b1fac5aaca42a5e3f29ec8618fd79b5829f772898e7f9209cd9253c09b9cdec52cb0450f3f1dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcgO.exe

Filesize
117KB

MD5
57b8655310f899b6979fddfcacd0e7bd

SHA1
e43caa60f7dd6532af2380f6c71a376ffd2a781e

SHA256
26a61ebc7f3b5c2505aca0febfef9f6db2ce9b4e7f034d67a3cf2165c4f80eae

SHA512
6843095a4608a4d16c89309374f6a727547acc93375e61bc100e93fea2add067435f805e9eb32cd49a861fab0a1e6727b02fe04819209ad680713ea04e0aed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgAy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\OosU.exe

Filesize
113KB

MD5
d64862f43c1d3913443b5b6e23291bd4

SHA1
9c27a0770e168397ff1273a287bc2731ffa3f3ba

SHA256
6ba2df5d5f4f6d5b702fe7436427b835aa4c36cf38024df5021e60d380d4a945

SHA512
a8af62240b452978819b04be34188557f71ecef0851c75ebc319b37f540728d2bd6d81634771f94c91d1bcb08ab78f7b3937681766898173c1b071d683a8ef2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owsq.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIok.exe

Filesize
111KB

MD5
d23bdee5055e3bd71cffdb78985e5ec2

SHA1
0668fb922fa22fcfe3bf7a46d36b030be24f14f9

SHA256
bdd53936a037818049a39c0ba173c4fe4f8568b35c70d39f60d51b28bd3cb366

SHA512
62e11fa16001e17544e6ed1a07fc5536d776e3737f0e54adc6cd084ec33f24e11662c391834907907eb06efe312aa5578de82f8c8482bf1dce5b634c5ee6a6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMsk.exe

Filesize
236KB

MD5
4b41fe72a23211c1b793a4286a8c9daf

SHA1
a3480a0fd7a93bf5154c38aaed21cdb0b4d82d51

SHA256
565f55d48caca6d4691e3b2751db1e07ad1144e9eb3522adb695687cc3dc8a52

SHA512
4c5c851b482d67d658e716cfab41663e2bf87d945b0efdf2e9623f4cc175453929aa97fc8dcd4512fdcfd81502cbf8b9f5181997b2435ea7797d225cc4d8088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUEI.exe

Filesize
110KB

MD5
822c677b3f8c59ef5cc1f88f5f807889

SHA1
699c84d4d581687a3de21788f4a3aa579fbe058d

SHA256
058c18de2c8c7e84bac7ae57026465096a60afb853a8bbafcc249d5713c4c790

SHA512
c676871a87e44c171bbd14a3e784dcd47e8065541ec1ea451b6569e2dc2d87dda383596b6112a44b08d9e8b87a40bef2210de2e41b3d3585623227a7aa45826c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIQ.exe

Filesize
111KB

MD5
4c4af563417ead3736e67efcc83c46da

SHA1
ae637770f7ee9306852c046cb4abd8a425bc28ea

SHA256
20d6a5aafd02cb9f2ea0068713f97d6cf60420e250509966ef6a3be8b7e3229c

SHA512
40b0919eca9e9a889999b436a21065e94bbede52185dd738f28529c3ce2b99f97041bfa426809c43c05c06e124f2cb4183029bf7de72a6afbfa5e584bb1e6147

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkgC.exe

Filesize
110KB

MD5
b76fd733a9f04830b45b4d0608437b4d

SHA1
355ce05e49d47b62514952d625723f5715199874

SHA256
6070ab55f476bb6222c58bc301875fe33c4a528d7a320ea22e653f22b6c2e912

SHA512
8192064822aa4bb3ab15526743882b5c44240718505280ca9ad744fdceb02da738e8faded35c6c01d2571b35b373aa73e13095046cdf951bc6e3ff5f0a324293

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIA.exe

Filesize
439KB

MD5
9daf774b22a3ceafaec4b5f608e49186

SHA1
0922bef2ea73fd7f77fd30ad4a688746beeb009f

SHA256
08335d1c6d2bde2374c0303eb61849b4034664680424472ce5be30fab6bf591f

SHA512
5e410002e37bb4ae49eeba5e898845129da78af40b87f68a1055fee7b3dde3fc6333f19e13a7eb5ae6e31615f5177ce813632a3207baf001de1c8cb184a2f92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAME.exe

Filesize
112KB

MD5
4a12460bb0c664dfb9a69739c8ab709b

SHA1
08282b5758c78cdc9bacd1c301c4759709488137

SHA256
11480370e1f28de0f68207da88f0b733248fb5d4f01984f3d128cc46fa9cef0e

SHA512
a4c7263c31d345f2d04b1ff1961ec9f4dbf7c44604a0f5fb4f432646a00cffba414bd5c6014479bf238a0427bffd524be2a26112a24a9154ee45f5c174ab4c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScgW.exe

Filesize
110KB

MD5
89c65a7f91bb7d4b5279cd8a66304b30

SHA1
4b72a8b5ae83385f42a27325d6f67f180ae972a6

SHA256
f7d0137629b849779b4a1c36a163b3fa8d67d6fe87fdc5530ce646cecbc8c47c

SHA512
ee61d69aced9148f8085e212e5a52cd2d7cd63f83545343104cc49bf965fd6ba5e3da65cc3ed0ec3e52a2e8a7469dcfbf496a391e836661ed1e968d28832dfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SggI.exe

Filesize
111KB

MD5
4705916b0d0bfcc943041eea0d33c79a

SHA1
8538dfa9a06dbff6935740c7ecc8554164f9d692

SHA256
1bd2dcb79ca7ec36ce57a28fc899c89a35b58519ada35547d3cce48ea736d206

SHA512
d45098be31c6b9ed154775be4358d01e77a0b112435631a5c72a27ae03e0dfe0f6fdbb816fc1f9ee8e6254ac0ec9622edb2b7d390eb429fa4869ee890de563d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSocgAIY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEIe.exe

Filesize
845KB

MD5
1d4c91feaff2c2cf9e554347e84cbba2

SHA1
7e1fcbbcaa0e39cc880c6c04f6304297331debdf

SHA256
8ce993b1d86f0300c7b79b5290389671eaf0dd9d023a1a644f3bdcc9a625de98

SHA512
e5f2bdba851d7f2365a086e990da27ad51f1863f97ffb284d75e79fa8e433dbe3451df5079e56144f326f0410b2b34c0eaa0066e8ac2580bc6f0f5a5735c15ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEQI.exe

Filesize
1.7MB

MD5
8de7ea42eb8b7848d83fbc048dc84e5d

SHA1
0235434047c426aa36931b7562f973f1cb902788

SHA256
42175a9435e9bd77c6c3abcc78e93771194da2e4bc3d2c9b6700292d4e6e29db

SHA512
90a2ada088dbb7df437083b29c074004e9fd3d3ad64a7788ec7f23adff99f0ef5181fe6e3cb7977aa350aed7851773ba8901be0548d761c3de65946149bb4c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMso.exe

Filesize
745KB

MD5
b6742038fc5031663611b48e1a569535

SHA1
9bc3314f8b038ab21664f0fd36b7c70bac4c02dd

SHA256
1d9b9e176f546ab12c0412646125b0557337da5e431d6fba1ca6b9b4c739f3a3

SHA512
c92d8cf919a003fd2aec06a530df5345d34a52b8c810a1eeabc32b834510923604cbad23c69a4aa0a99b962f7a06cf461b3fc73de5e0483b4b90b59f99cb8c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgYi.exe

Filesize
112KB

MD5
c7827b9d4012af7caccecf8f8ccafa91

SHA1
72f84bab57e6fce754582da0f411ac336ed353d0

SHA256
0f044a503981267c69ecbf99f2bac7cfc89051266c963a5e3da726ded63f9b6d

SHA512
f255d546e930cc64137b9a38b6672bf60579df2f35df0f05496257236b75c2bb7e39df92ebb6a53e6cb5e087145c08a2fe3116f58b8075f1b838a3ddf173d35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwS.exe

Filesize
116KB

MD5
4656eb96700e674f9916094e12f1a500

SHA1
ea08541acaa30519b283e7cc18e06871b038fa8d

SHA256
ac8d8ebe9c84864373847b2bbb07152ea2726bc1d07e9dbf77d866e834674c24

SHA512
121757b7f1947371b87e8516c63dd48fae29a82269a88741fbc0c7229e573aa84ef53750bb44f1eb71c836743965f977e7d2b4680bd9c52031560719bf618b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwMe.exe

Filesize
114KB

MD5
436aad61e88556cf699b8a8e3745a760

SHA1
91cd2d8ff2743e19e71e74d123ae003f5e8d3711

SHA256
8b793d62a6b86c1d7de2c0911006670f2956d28e09ffc97223cf1e669dbad145

SHA512
880c5a812d20ac7aa39b4d4bb033824fa8035319025ec307e461ca10a007529e9ae7241f9b833073f3223a26560cf70555703414f3650087de109cf3dc733f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEYk.exe

Filesize
564KB

MD5
d80eed2053fbd2d3658896036536a0a0

SHA1
c7605fc4c868af84284d498b621245d47323dddb

SHA256
26ec7a27478f8545d4e2fe16552d549e52135cefc3e29c24d1b4c5b0e666edc7

SHA512
06baa82617cac0317ffaa16c3203af90461aad65ff9672ff9332aace1589769f07b6b17f0f52f9b428ab8220fa12cdfb2611bf133cc5949c1d8c261002087477

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQos.exe

Filesize
113KB

MD5
81215cc70336634c56a12930eb0fe56f

SHA1
2a8eb724101627adf4d91edd3540e26df944158e

SHA256
0a4d65b522d3255e61a0725652e8be6195b1e4e2cf511d5aec77b4567ad872c8

SHA512
12bde49db1e4af656c66717b72ad21a2b63bad7ab2227f0a87ccb0746b26ab5e00e9e3bd23ead4370f22d4a5fec8449660dda082fcf756de1ee28c96e44fe626

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEki.exe

Filesize
111KB

MD5
8e0dadbb476a20b781d206d446981d9a

SHA1
6954c15415694d275fbad664eb8e7b3b86dbf404

SHA256
5034a1c98516095ea96c447ab3ac11bde13d26a9cbe6b21f4409be9628a5668e

SHA512
064155b9fce0c6110857cd52f8278a9f64c88481f8aa35fcce59b986e7a204edcd6db1e6b825a1f9eb98b326580685e824bea98fe0e6e3a24005572df4ab0c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEwy.exe

Filesize
110KB

MD5
714562ff1e49c275951593a3829ab978

SHA1
805fdf34291fd40976be7ba2ba2bd635d157c98b

SHA256
9dfb67aa731a8e7b21f311b027d8b36b03e5f2b5d8bfd9d801b9158318b0ced3

SHA512
98e075473709335a4fe7f480280abcbc124ea80852f9443fbc016526de3e6fe7bdacf49e274f15f733c6420f4ebab110540be9f954f4286882fad93d426b646d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUU.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoMW.exe

Filesize
116KB

MD5
b11f3f30dfb424a530335e6538fd82a5

SHA1
5187f34b5afd46f8004d72c4ef4c5f7a970f7bdc

SHA256
63cef88ba668de950bde84b06271b2fe394550ad0e1f56913f234e21d637c1a5

SHA512
061ee314b2bf1c1c08475179843eacd5b06f1d2baf6716d6d8dde1b9510081cbca0e9720485a88b2717dbf75766a52e65a911d4f8d04933fb10e40892ba5e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoQU.exe

Filesize
109KB

MD5
fc157ba4cf94e1462775596c956f35e4

SHA1
3ffb5177975b29d8de7c8f2b5b29cb956624ecd4

SHA256
0d93996a3188fb4f6468e58ad833bf4c358d303a38b8237a88051d7461883974

SHA512
4896284a1d878773c0622a538cf4f59a651ea86a7acd45cc35bcbd5ae05452d7581ca50b5aef39a256ae2a5544b139c2b4b303e11f9980aa2520181ac1b5b69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asIY.exe

Filesize
111KB

MD5
08a7f4605a26e13568722f82fb1f4a3d

SHA1
f9446dc553b77803e97e9ec31abdbb66a19d3dd4

SHA256
41b9d3d35ccb36f319b8a6e1f14b3f675d24b0b97ed9f2431edb4ad0c059be1b

SHA512
7f422d4d7bc5b0823af1c465b453ca42fae7cdd32f972ee4f5879f1c7410ceec9548539f9e987d08a26b3e2cb12bbc1961a33dd35e11e2df061b24cbfd32a844

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAgE.exe

Filesize
148KB

MD5
1d4221e1f83caef39ebd25ac1e66f439

SHA1
8722d5b150cd7c3b0512dca323f5eed06f27f941

SHA256
5dbea6f818364320650f931a7085c69ebba450d4ce07e6e76fe6425a83ec7625

SHA512
b96957773680dffb725c1fd1706ee12dc8ef5a07d6acea5897b3ba5430c6759a2246efae2d49332e44de69abaf0e1029b80c914eb8a00f070c874010bbca6af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAgK.exe

Filesize
112KB

MD5
d3ea091fd519b4a2c63127afea7d1f1b

SHA1
475d0ebff0d16c82757e0a720a545f5d7538dd75

SHA256
0845bc64cb2c16700e5ef28e8dcad9363fd2f2f59f444d199332e8319687e560

SHA512
0b57001e8db71d2b6d5206f80ef5abd013f6c455c78f2c998ff4d92abb519ed6904ab36c0162569f8a16272a12ae8e8467386b928f08863bab5219f615162570

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAsO.exe

Filesize
111KB

MD5
78fae0d4376dbab5b9471a319ad0be44

SHA1
f5255b3ef40c714caee3b244ab8e399b4fd5815e

SHA256
7d214c5edd06a07ffeb151411457a45c68aff843c413c6d8ef36116962a6a740

SHA512
f2159022a6fa257f2a7a5f5a2a9bd03d5f97c4bf3dce5234c2a2c1fa368e568839accc082fb6419953aa3c8d96accabaf473c7d3c13dfa7722a027ea55aafe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccMq.exe

Filesize
126KB

MD5
769b5de56145fc505f463d0ad014f4ca

SHA1
05bbde7b171ddd41b2f8d96e28e7cb427f12fc53

SHA256
f6d549d969ccc0a61b0a61206db03fa2934cbbbb9e0e81b046313584f3da5023

SHA512
a153ac0a93fc42f18e6cc80766ee785912327e8a0697a78cf1ab4cd03cb29089badd2d8d3eec2a7ac3635fa16fb234f28593fb9422e6ca3e4b7bbebe5207b737

Download Submit
C:\Users\Admin\AppData\Local\Temp\coYA.exe

Filesize
139KB

MD5
781264b72a20a6611484e28ffe76e976

SHA1
80269d1eafcbacb145947f2935ac23e01c192a37

SHA256
1b47af8c6aebfa04caf440630de320a00ade68862a71f43f53b6b00cb7b947c6

SHA512
f7f1ddc16e874c76c909406ff32f3c0e1af424c5432fc6e521e0ff547f3ff2ca30f67b553ea459109c497d569cbc32702a70fe95096c4bb02adc6f162c4a0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekom.exe

Filesize
116KB

MD5
1c80988fc55b4a2299fda1dd7ec48a3e

SHA1
51598994d07b100cee3f57bf25866c0e841a33ec

SHA256
9a9d35fd70ba2b65a37e994c53745b4b6e63f75af7e326e78c10d3a4b039f26f

SHA512
c1ed9726493e9724e318a22554f2aeeebe64cde2f5d1ce6c8720af1e44cf8ee323b1247ae2a3af198a192554f2d01d86ba63822c01b45b8f398a657f9ab56f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoss.exe

Filesize
111KB

MD5
0a688325fa416eeb6b7f61eca28519ff

SHA1
e193d942af6ad62f45638a92dce39d7d8fe3048e

SHA256
4d5afa9c50f9b532cf3060e218f2b67af8309ea050738c9c4de50ed700021ed6

SHA512
cfa844141a1e409473b7b23b48906c33377c9e9083a2e8bf17c466b4a98d0e628b5bccfb87d4e3920979da55ba4f6eda767cba9f9143b2b6d5490df533f1e65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewoM.exe

Filesize
237KB

MD5
529a28e99422a3b14c043206b04f679d

SHA1
6e55a26fc95e724d1992377a2074bccc9b028858

SHA256
0b653ccb2a64ac5b1c6527634330147961b2ad268fa11f2c4e454d5247dcb173

SHA512
d1ed3c0a1552cfb14ddd1c4d60ff1c1a98d5389638c89daa44ab860b8ed94269f76a6d08062f2831d4bd79a4e06ec650e1f159b050e7e7287d531fd95fb79c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIEw.exe

Filesize
119KB

MD5
8e016df888c07c2b7b659c79065557f1

SHA1
b431224188fb346cd8c100d32e06a832a8b53402

SHA256
76958a92999b5e61d3e723379942136a632bb3ee3e288a9b8e74bfea55a536af

SHA512
0cc5726ad42a73ee42922c8209c385f6d79c520888f2b19a286367cc77d758bdb481ba78cc13e09b1e78b5fd96ebd36dd412c6d576a46c088220ac11cc02be88

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMwM.exe

Filesize
238KB

MD5
5f8da4d406a2343906bc19d224a4d231

SHA1
f303f036a5e7afb5b1a7442027d5088030141aeb

SHA256
75575e87d24d3a9c98289b531b7d1cfc71ebe2cf02240265738420bf89d3d4ef

SHA512
a0c6155c0778b2065b3ac49ee440c6ef8c834d6f22fab554c6f98df97e71e2330e0f8a784ed87d3c3947b2f9d6e1b1d0ca817927c8816e1973aa9486de4c4097

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcEI.exe

Filesize
114KB

MD5
2ae1fd8bac6422e4b250c04e7234205b

SHA1
e4dd98279a73af0fbba700d469222ab59e33708b

SHA256
b8ee730c32df0fea050ad7d2623820e025d0c695b26ab95d720265e4515982e5

SHA512
de06551b86ebcf17fa99f7a1dfa2aa6c9df589680d7dd2061dd697a0ca9efc741ba6650097bb8cfaf782403273b9309c4ddfe7a2578ad8820741c752fcbdab3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcsq.exe

Filesize
723KB

MD5
698844be75a99bb983195181303e1580

SHA1
0bb0566ae921067e7a28620c3838fedc55362e4d

SHA256
5747001b079214a3c5488673e09e591fef8b35ce76ad4a0affac2fb9c15a53a8

SHA512
211eef69200b8dbdc3bd0de4f4a0d6dbb434adc2ee909f09ec7677051f0e491b889f374d9ec8e322769c6e305fabaa02b6dc2efc48196e217fb43e05242fbeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwi.exe

Filesize
238KB

MD5
9398b116611060200e1fe8a41f0d221c

SHA1
56a42bbe65d67c345cc2aa7a63b756dcc71f59c5

SHA256
41ad3c16173aa8ff8e9c3262c226b4a733df2ddd34f24935a1c3ac615550a0cf

SHA512
c5a4e5b92603303ffd3a19ced38c49efb4a1bbde55eab90b240ec1fb207b032bac0b2c0f8f82a587f1a21ec49482d3494b477d86ce72ef0f18a71cb42a3d54b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\icEA.exe

Filesize
616KB

MD5
b561dec61c604cd787238968d4ffae81

SHA1
41754d803072b6c883a398aa6aa19b5cb5cd68a0

SHA256
e3b4949b359cef6acb4c1a85c79fa4739b202c4b05bdd6c9656c5007bb6ca0c1

SHA512
51852ec3536908d461709200940927a820e8293ea84c41db4c274d6d9930ec3af981d09a0cb327dc302f774f0b897dc725f29018038d19dece9a5f1c5307e6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgA.exe

Filesize
348KB

MD5
e043de2db8ccc4c8cb4ede4a3637b7c0

SHA1
f645c2842e90300e97b00630e7e04dd769bce1ed

SHA256
a5528d683e1dd5a7d71a4ecbaab4843b034b7220e4b51bb2d2494c459fd24f06

SHA512
376df2bb337a0f0eb644b6f29613a7a7378de60e5f2580b38a9c0535638afe2ac06fa5df6c7cf53476947b2329a99ee437ea5dcb1fe6ba44789739ffc2e2fdda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikwU.exe

Filesize
120KB

MD5
601224628a35fd2ccfaa3e6c520fa410

SHA1
fba03146dd64ad0d38843aef65dcd7d253d70aac

SHA256
a415fb56b07631b4f2c8e57fb94222b3246b9ae0ce477bad85230f87c528bbb5

SHA512
43d37a5ab68d085b39211701233c3c3e6b55a41609bbf47e284e1559165eb55743cf8ed9339b2b0919370e7aa3b89e07eb665abf85610da0d11dd5401fd93a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwYW.exe

Filesize
112KB

MD5
ef5df959551b854be98cde308ab6132c

SHA1
70032aada11781774f0962ca86f6c798b2acff07

SHA256
d420440f9f587b28b2ebabfa7f785cf51be84231c9f63d79f982d066138cefb1

SHA512
8c6ad9d30cee0e88488f2f5227f083316b507ff8e45d193ecc163b9476754d94ac66df9a55fec11a275ff7a4e37ab43dfde59161389ad22151a736ad812ad1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQQM.exe

Filesize
110KB

MD5
7997c8e40a9b8bbcf92125f24a150c4e

SHA1
2fab0102a2360152f26b38afcad89a6eb33ab8ad

SHA256
fa612db77bf2d57551fcfb7a929dcbfc7478c5a8f34af1807549de707cd9005a

SHA512
4db132b5a7df2ccb3db8ed04d3844d079b704cb44b03893ec3734fb6e8f9f6f589f3de10ae948803bc7e67c5920c0f34ea003479f2311fdc903e59e564cc339a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggO.exe

Filesize
114KB

MD5
0521da618f6037f926023d99b8bad82e

SHA1
85dff66c88ca239d002b466b2395ddb227ba39b9

SHA256
800d689b575716db27984980bef4eb6130524890954f5334b5e3747b0c5ff382

SHA512
4f440e888cef6fa93dc903eecdb843175a06d1e1f65c1849b24e90cb3f160875aa986d689d072da2d227b9eb1c9f66d6bc68b7e659ee223c28f3d399ff4ce186

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMu.exe

Filesize
119KB

MD5
8e0d52bd25803e67dde9d9add648aa89

SHA1
d3c52e6d59dcca3e203588a690920e86e84d6e03

SHA256
6fcffad9f4425636de41c77433b00799005f8f7177a5af1708e4b26dee5495bc

SHA512
574a60963af19fb1fc9b16b5d86017227bf1ff176b035663c70d19e8d4a7f6ca4e6cb0646f95f9721d587753fce42123feb17f205d5bf03378533a2854629dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwI.exe

Filesize
1.2MB

MD5
e99334a33eab0cb23170cb4499c84df0

SHA1
1eb846e47590717907bfb1b0a36fed32a8acb493

SHA256
9d10925ce7127144323933e507ce35a84795f758072e0d296c4273272eeac76b

SHA512
d464de5c6a1a7ac94ff6e5b7ebb13d3871ef6357be87d82f0538dcf519ef0b555c8e2eb09bdfaa3e293d7944c10820740abf155b6ae616a87826b3f37a116464

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggo.exe

Filesize
300KB

MD5
ec7c950b782a92c0237f5ce654b2d0bf

SHA1
54a9badca79d12a7e62ce78c845e863f22ba6109

SHA256
dfaeb3fb17fcaabbc6dfe3b3e93f695c56b85bcdeb65f9bfb15ea77f8d4c11f6

SHA512
429de375d4df3f5513ef01d6c695141767a06bd141299acab9b626c16f64b1b922ef19eba29f86b938ffd38f9af789dd355bdf6b2d84d337abf23a2d9ee89296

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAEg.exe

Filesize
567KB

MD5
7bb892b882e24754ca1120a4b7cf1cea

SHA1
1501e27f867ddf784109178340a94413889da46b

SHA256
12bd4a746a5e7b282398fe972bda7605f94285b1d3d6662c36b5b04ee0c0f9d3

SHA512
0194353b5fcd35a681cfe0598de647f7a6f61387cc8eb619e24d95d15b0a248f500bd2b1826dadf56d629d131bbbaef153287fb7983ca8d08f2ee9bcd9cc4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUMe.exe

Filesize
112KB

MD5
12c4673585ab4f2f9bba8b6511167c5b

SHA1
dd129e07dbeeb7a841305d48ba20a3abb636bf04

SHA256
e905ea7159461d85e61baeef1e39b9c9cc730ac947c9cba1b18b37f3530e9b19

SHA512
f0694fdf23cb3eaf394223ca687437ab08252922a7962314718a9ccfc3eda42166bce33255a3d819eafdec0c30affa8cf7f16ef2b19d66cb39e139733f052503

Download Submit
C:\Users\Admin\AppData\Local\Temp\oskM.exe

Filesize
112KB

MD5
63046ad150d465bc650b43872b792460

SHA1
f7df46a63f1205e9d2a169666c6c28f95d5f1db2

SHA256
a208ddb6a875db63df9587f6afd07fbc406c61633591fa8494b38faed1dc3873

SHA512
5eb47f30bc3118516c9bbf0b034949e1d43bf2170fa48ebc6f05e3a0c96544a338b4a12be396c556355a61233784be17c6c26b068c5ad3a89d852040cf44947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcko.exe

Filesize
720KB

MD5
ab3cde51675900bea3b48e80331c7ef9

SHA1
501c2fffafdc05e49474e6fe69e47c895e7b7b16

SHA256
9b4c6535f4ba055b4455579b21132178e902cdc7b7b5748a5c07b0831a1ed38f

SHA512
59d69a3ab076a0149499680647e0fd8a76136e69b8ec7608b3ce8cf40faedfff801b9c682fdf0644a2323800469789825a859a158c0e6c24a33ac39019374f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoEs.exe

Filesize
563KB

MD5
4f3de357d726be2896500deb5590f18d

SHA1
f5673fdea58ed02b4b695ceeaddf0c518c3a251d

SHA256
b5c38bc8463cb14c7b5bbccb61ef481d7aa282d07929f5beeef7342ffebe8eb5

SHA512
38cd8b7871ff47c218666fbb57e4499d122b951153ebe0934435b7b4b12366b9de68db633ccf144cfd767f7fa01e9f11df6a8c6490a0eeb394a430f5ea83baac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwoa.exe

Filesize
110KB

MD5
6ba1e6c5014aee40b7e7cb4df3a10707

SHA1
c1ae25487e0e88782cb3e249a2cea5350cd9954c

SHA256
45b7ce3331f0bff69682bdf0753aa2341a86e6ffac190a28a14da8fd490a424d

SHA512
99b4efe7805dbf62633fef9cbeef0efc04061eb70de793953623a8fe49344b4c7700f9c4151da3f1d5a8230d55a23cfc14f8f9757eec8b82e4b9f58d8177b7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEsi.exe

Filesize
115KB

MD5
bd03a6f5b606a23e7f0a280768c77308

SHA1
f8d280f9d949a656aa66758743d093c28bfca15b

SHA256
469f1f0292d7460d171eda2916ad1985ff4b8d69fb7644c2fb09af0a5a5be833

SHA512
ecd3d9d1faccac4fed6ec6aff1fba9fc8bd803dbcae06cd1fcf6939ca4fa761f1a2a4d27e9e16b73d18fb5fb177c90ac187ec119bdb9a7320723b12c50474fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMc.exe

Filesize
699KB

MD5
0ccaf921e6479608c654b237a542b89e

SHA1
e1c1af2460e12b73e40cfd33644ddadc13f6cb76

SHA256
5b40ea1a25b64cbe1138815ae62d1eaad05dd40427ce03c5a5e5c2bfe447ceda

SHA512
73242436004de292eed96b55fa7263efcd42163b6a132eb73df836d6b8a9ef45128d4069f243e84cebe11fdd902d3f5b3849fba519981ca16c0d1c7df5db7b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\scYE.exe

Filesize
313KB

MD5
72eafd1d49e5db2d8d9b3f524deace50

SHA1
4297b23f4f18fbf1af95e445a8a9764ea52dab72

SHA256
7b242290eff6f0da7ae8e67909d7f958244f189712e77a00abfd504d70907caa

SHA512
443e7526b94a1a1e921efe79a97a9317f538e617f9b4c8da893bcfb538dbebcbfd91c6d02ec13e5ccd478d75362f4b5763714533773ed3b2f438617d3d753f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\skkq.exe

Filesize
111KB

MD5
46e58566ece3340fa55862cb9513aaa6

SHA1
8b7999af55149e3a803a164b95fa35c215b8d2fd

SHA256
3cfe8807db35dfbe97306727595787f7d93ef8b7347247846079b633a03c4881

SHA512
82934a87775ecb17839827b55ccc83c975c2e3ba82b3e80d864b65207b002d388c2c5657e6055ba26c722aabccb1475f973bc567a1ed5a78ee864c6acd8bebb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEAo.exe

Filesize
111KB

MD5
b62076a0a54a117c0fc5220962d8cb3a

SHA1
e5349a156b7e4119636b4b431660de01beeed108

SHA256
77d05dfd0e25ce68527af29da1d4adc3739e5800039d61226489e2eaab664013

SHA512
b289de8fcc23a4d480ed033c17ea927fd711980aad20c9b4f6b866b2e4b6ae0a83f72cdd60e063ff29734c77277557523173abb7ed24a910b9dda198b223a14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMAG.exe

Filesize
139KB

MD5
11c5abea40c9ef6f37f19e1f9f99e2b1

SHA1
0d12814a50e26a0e9dc8654a38f1082bffab5e0b

SHA256
b1c67aa095b5c1a842c1d10f3df9498ebcc67d9af5d7ab7dd25b42fae8d75d2e

SHA512
3de6357fa03f2d51bb5d8ce9c2cadc7b645249f004eeabb3f192a3ffd825e51f65b281ab78271e6cbeb42df796029972361e9fdebee454e7ffa5c4a9fc66196f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugQc.exe

Filesize
720KB

MD5
4958fc76de0c61318f422e79579b34cb

SHA1
797075c1a5b16167c66a62d06fd10dac951427d4

SHA256
495ce8f774ca8eb76627a68a763de7cc6897d9c611bd9f37c7a7ac8133725400

SHA512
123453b6a1ed246181ae999f41ec3c328f4a8abe92bef26565ba537738876b24b41fa475c0493eb76bd70dc78e18ac88eeb1554e68285773f694f1ae55e0d207

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoQw.exe

Filesize
154KB

MD5
4c0c340eaf12344a55c412d2c84438f3

SHA1
96d61c4efe3aad28de44062859412cb486b8d850

SHA256
a07c7e624f06de2a466f1efb88bc69c81064fc10ba1f5444041889c0ccd54be1

SHA512
fa2257f3780c29a8eda72dc589f4de1552118b60bcd8bc672c2a613b72ef5521490fdc1a23764be9ebb06159e2cc7a53d7533de222a67762c485b2e25956c136

Download Submit
C:\Users\Admin\AppData\Local\Temp\usMK.exe

Filesize
831KB

MD5
6e8ccc366ba77018c6553c23c56b419b

SHA1
181f53a5472d8b824935c34a8b5cd0fd11d4b8bd

SHA256
1b461716749c943f987118a3daf36aaf92d4202ed68fbc4c3aac163419563382

SHA512
33278356bd9f9022408dc99d051e3fec61658f586ccb2eb3bb481eeaff5fb5d4a26be4cc6ab41f3fd0ffb0d7f81bd6d93e2e5b3ee3f0229c07c22f5c5d9018dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAUE.exe

Filesize
110KB

MD5
ccdb2767c4a793fb790a971593220e10

SHA1
7026d1c2c25cad3b239c2c6305ab653357b627e5

SHA256
5954cd419a3d3ae614a65c10f982be09f0b8055915c7093ffaf2d6668da46483

SHA512
c5fa993ba7b166e086a0c41653330aedf654cc10a80306f893dcdc5134d868bb1cc010d6317375e339af9a98eb50052fee6ca893028cd1e790879bc042f2b687

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAC.exe

Filesize
110KB

MD5
399d1caef341ea6cb44f707410cebde6

SHA1
f73bb77251978012e65092b5985e02d65b957b8f

SHA256
2d9f7f44e9d7aadb4ed6555b24c51a510731843efe72fe40f9a4e7b0d089825c

SHA512
e0fb5ce3002bdb1b0efe7b37d2a19bb3883a2047d4cec6e0588b68b137c509887719fab3e455e99674d75f55cbd42a849b31a50d7fc03ef8c35f703bf3e76163

Download Submit
C:\Users\Admin\AppData\Roaming\RemoveRepair.ppt.exe

Filesize
420KB

MD5
e2986e75d874158c6e317ff2922e5ccb

SHA1
06d857bc9e30d78a9f0071bb9cb50fe72a6be3cf

SHA256
a27c32bb00664155a717855207a19d8bb68be2d376630556f69cb56131266f4c

SHA512
26737f6c3eac74ff9238057276f2f64d91cca1b3796efa18352fca744f708515b6912b5c8d575b11b6b2cb151f2fa5361598aef0329513b075432789d74b0ed2

Download Submit
C:\Users\Admin\Documents\ExportApprove.ppt.exe

Filesize
1.0MB

MD5
f2e14f26582652a174170b552c6fc5bc

SHA1
e3f708335b47eef80a596f0352eb537c63b54b3f

SHA256
2c2d3539d890c9e18f5b2aee63b3489eac65c86fb66c63425e2f97d0410eaa52

SHA512
ea3fbe416f08c2c641d66ec2fda980fc768b5efc95d77e40907c7259b78b80896afec114b7a4d8a2513e709f7f8c902c2ae255e53ed454a0cb73994ff63504b7

Download Submit
C:\Users\Admin\Documents\MeasureUnlock.xls.exe

Filesize
449KB

MD5
c658db1583bb4ca62f4825f9e3473d10

SHA1
c96507fd8082856e679705ab355498714a1498e9

SHA256
476ef058e2923a518d23bc7118862822bd9983f98aa60272afacce23c973eecb

SHA512
7f9273e73344cb9c5a7e1f245c2268fc687861817178eb9c168b65690c2d57de0c9c61e9f92aed225a49cefb2829a605e274877381a19632c40802042e69dcbb

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
133KB

MD5
9f30d3966552164ebec3375f77b6b11e

SHA1
d58a091d6f43e3c4e482ad20faeabd22316aa958

SHA256
42468dc7b20436f6eeddd5e619cb57fc3df0b97a2fb9672f748930968913aaf0

SHA512
800e2d5981ff2e8367dd64bc37396a7ff1266dd1abc4b11afeba49eee434015bc9e6e3daa447c6cefba1dd1f50cbbf128de9c0912d812d03959aef88edbc6a8b

Download Submit
C:\Users\Admin\TSQUscks\nykMoscM.exe

Filesize
109KB

MD5
9ff2f12872bb7706130ddd5199f09b24

SHA1
6fdb449ed53e17ed9aa3bc8b110343e013ecdd82

SHA256
7d124ef375da7ef14333f68bb00b02f7cfed25a1fe48415b7629212f5ead4df8

SHA512
148b625cca5e69de6a04bd984946cbe3e9cda758a8f3434ffc359140a4dbdcc613da48c92ec67cfccbe078795e20836eaf283338570edbf0ede47c9a5e79dd23

Download Submit
memory/224-512-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/224-503-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-346-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-336-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/448-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/548-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/548-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-509-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-536-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-354-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-345-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/952-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/952-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-363-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1400-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1400-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-447-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-458-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2060-459-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2060-467-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-397-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2344-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-414-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-406-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2488-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2488-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-380-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-368-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-493-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-502-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-532-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3156-423-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3272-476-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3272-485-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-428-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-441-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3500-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3500-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3640-362-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3640-437-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3640-450-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4032-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4032-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4148-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4232-394-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4232-405-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-388-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-475-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4276-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4276-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-494-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-484-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4576-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4576-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4640-337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4640-328-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4676-419-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4676-432-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4724-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4780-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4780-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4848-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4848-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5080-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5080-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download