fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 06:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Size

1006KB
MD5

2bfca009593c6b4be53979cf8d69023d
SHA1

0c019852533ee4d6f36dccdd6c0fca8070de2944
SHA256

fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
SHA512

e361860ab966bfec775d2d6ac4482dfd39516ef39d3c8069ec79a8d60a83a74a0103af8515408a1f2ff16145dd157a28e89adff469d9e3e800d602ec3367b8c4
SSDEEP

24576:/LZgDe961iKogI4B92x5CRnSjOVOPU3SrJrQBC/1cokZzY:/LZgD91i2tcgnSjO5wdQZ0

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\qmUIIcMM\\uAkAEwkc.exe,"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\qmUIIcMM\\uAkAEwkc.exe,"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	OgcwAwkI.exe

Executes dropped EXE 3 IoCs

pid	Process
3016	OgcwAwkI.exe
2356	uAkAEwkc.exe
2912	VAgQAYwc.exe

Loads dropped DLL 10 IoCs

pid	Process
2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2356	uAkAEwkc.exe
2356	uAkAEwkc.exe
2356	uAkAEwkc.exe
2356	uAkAEwkc.exe
2356	uAkAEwkc.exe
2356	uAkAEwkc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OgcwAwkI.exe = "C:\\Users\\Admin\\SGgcwoUY\\OgcwAwkI.exe"	OgcwAwkI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uAkAEwkc.exe = "C:\\ProgramData\\qmUIIcMM\\uAkAEwkc.exe"	uAkAEwkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uAkAEwkc.exe = "C:\\ProgramData\\qmUIIcMM\\uAkAEwkc.exe"	VAgQAYwc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OgcwAwkI.exe = "C:\\Users\\Admin\\SGgcwoUY\\OgcwAwkI.exe"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uAkAEwkc.exe = "C:\\ProgramData\\qmUIIcMM\\uAkAEwkc.exe"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SGgcwoUY	VAgQAYwc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SGgcwoUY\OgcwAwkI	VAgQAYwc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2704	2464	WerFault.exe	29
2248	1132	WerFault.exe	35
2972	2272	WerFault.exe	45
532	2012	WerFault.exe	55
2168	588	WerFault.exe	65
2212	2196	WerFault.exe	75
3020	1524	WerFault.exe	85
2900	2056	WerFault.exe	95
2680	2968	WerFault.exe	105
2928	2676	WerFault.exe	115
1588	1376	WerFault.exe	125
1472	1252	WerFault.exe	135
1740	1996	WerFault.exe	145
2124	800	WerFault.exe	155
2764	1780	WerFault.exe	165
1536	584	WerFault.exe	182
1188	2200	WerFault.exe	185
2320	2460	WerFault.exe	195
2332	2952	WerFault.exe	205
2028	2280	WerFault.exe	215
1912	1896	WerFault.exe	225
2364	2756	WerFault.exe	235
2860	1604	WerFault.exe	245
2608	2100	WerFault.exe	255
2932	1924	WerFault.exe	265
628	660	WerFault.exe	275
304	2400	WerFault.exe	285
2188	2780	WerFault.exe	295
3232	1852	WerFault.exe	305
3424	3184	WerFault.exe	315
3572	3360	WerFault.exe	325
3752	3532	WerFault.exe	335
3928	3704	WerFault.exe	345
3084	3880	WerFault.exe	355
3252	4052	WerFault.exe	365
3492	3260	WerFault.exe	375
3784	3420	WerFault.exe	385
1552	3680	WerFault.exe	395
3176	3900	WerFault.exe	405
3432	4080	WerFault.exe	415
3852	3444	WerFault.exe	425
3256	3792	WerFault.exe	435
3476	992	WerFault.exe	445
4016	3488	WerFault.exe	455
3616	3924	WerFault.exe	465
3304	3452	WerFault.exe	475
4000	3960	WerFault.exe	485
3436	932	WerFault.exe	495
3372	3400	WerFault.exe	505
4104	916	WerFault.exe	515
4268	4044	WerFault.exe	525
4436	4228	WerFault.exe	535
4608	4396	WerFault.exe	545
4776	4568	WerFault.exe	555
4952	4736	WerFault.exe	565
5112	4904	WerFault.exe	575
4288	5076	WerFault.exe	585
4516	4236	WerFault.exe	595
4760	4472	WerFault.exe	605
4968	4704	WerFault.exe	615
4280	4924	WerFault.exe	625
4656	4188	WerFault.exe	635
4948	4500	WerFault.exe	645
5020	4980	WerFault.exe	655

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAgQAYwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1852	reg.exe
3200	reg.exe
3272	reg.exe
4432	reg.exe
2156	reg.exe
6280	reg.exe
6424	reg.exe
5244	reg.exe
3564	reg.exe
3580	reg.exe
8992	reg.exe
4068	reg.exe
3848	reg.exe
1908	reg.exe
3076	reg.exe
8436	reg.exe
2660	reg.exe
5096	reg.exe
4560	reg.exe
6864	reg.exe
756	reg.exe
5048	reg.exe
1816	reg.exe
552	reg.exe
7232	reg.exe
8408	reg.exe
8324	reg.exe
840	reg.exe
4084	reg.exe
768	reg.exe
5900	reg.exe
2500	reg.exe
4584	reg.exe
4836	reg.exe
7376	reg.exe
7240	reg.exe
1688	reg.exe
1060	reg.exe
4768	reg.exe
6312	reg.exe
3148	reg.exe
8032	reg.exe
6596	reg.exe
3720	reg.exe
6912	reg.exe
7236	reg.exe
8092	reg.exe
2828	reg.exe
3148	reg.exe
8476	reg.exe
3248	reg.exe
3116	reg.exe
3916	reg.exe
6732	reg.exe
7924	reg.exe
8772	reg.exe
2336	reg.exe
4816	reg.exe
5176	reg.exe
7688	reg.exe
9016	reg.exe
6216	reg.exe
7868	reg.exe
7876	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2272	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2272	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2012	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2012	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
588	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
588	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2196	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2196	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1524	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1524	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2056	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2056	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2968	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2968	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1376	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1376	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1252	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1252	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1996	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1996	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
800	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
800	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1780	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1780	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
584	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
584	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2200	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2200	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2200	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2200	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2460	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2460	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2460	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2460	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2952	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2952	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2952	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2952	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2280	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2280	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2280	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2280	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1896	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1896	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1896	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1896	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1896	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1896	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2756	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2756	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2756	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2756	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2756	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2756	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1604	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1604	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1604	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
1604	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe
3016	OgcwAwkI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3016	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	30
PID 2464 wrote to memory of 3016	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	30
PID 2464 wrote to memory of 3016	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	30
PID 2464 wrote to memory of 3016	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	30
PID 2464 wrote to memory of 2356	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	31
PID 2464 wrote to memory of 2356	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	31
PID 2464 wrote to memory of 2356	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	31
PID 2464 wrote to memory of 2356	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	31
PID 2464 wrote to memory of 2992	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	33
PID 2464 wrote to memory of 2992	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	33
PID 2464 wrote to memory of 2992	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	33
PID 2464 wrote to memory of 2992	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	33
PID 2992 wrote to memory of 1132	2992	cmd.exe	35
PID 2992 wrote to memory of 1132	2992	cmd.exe	35
PID 2992 wrote to memory of 1132	2992	cmd.exe	35
PID 2992 wrote to memory of 1132	2992	cmd.exe	35
PID 2464 wrote to memory of 2664	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	36
PID 2464 wrote to memory of 2664	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	36
PID 2464 wrote to memory of 2664	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	36
PID 2464 wrote to memory of 2664	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	36
PID 2464 wrote to memory of 2672	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	37
PID 2464 wrote to memory of 2672	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	37
PID 2464 wrote to memory of 2672	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	37
PID 2464 wrote to memory of 2672	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	37
PID 2464 wrote to memory of 2680	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	38
PID 2464 wrote to memory of 2680	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	38
PID 2464 wrote to memory of 2680	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	38
PID 2464 wrote to memory of 2680	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	38
PID 2464 wrote to memory of 2704	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	39
PID 2464 wrote to memory of 2704	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	39
PID 2464 wrote to memory of 2704	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	39
PID 2464 wrote to memory of 2704	2464	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	39
PID 1132 wrote to memory of 1788	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	43
PID 1132 wrote to memory of 1788	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	43
PID 1132 wrote to memory of 1788	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	43
PID 1132 wrote to memory of 1788	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	43
PID 1788 wrote to memory of 2272	1788	cmd.exe	45
PID 1788 wrote to memory of 2272	1788	cmd.exe	45
PID 1788 wrote to memory of 2272	1788	cmd.exe	45
PID 1788 wrote to memory of 2272	1788	cmd.exe	45
PID 1132 wrote to memory of 1720	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	46
PID 1132 wrote to memory of 1720	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	46
PID 1132 wrote to memory of 1720	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	46
PID 1132 wrote to memory of 1720	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	46
PID 1132 wrote to memory of 2500	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	47
PID 1132 wrote to memory of 2500	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	47
PID 1132 wrote to memory of 2500	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	47
PID 1132 wrote to memory of 2500	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	47
PID 1132 wrote to memory of 1408	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	50
PID 1132 wrote to memory of 1408	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	50
PID 1132 wrote to memory of 1408	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	50
PID 1132 wrote to memory of 1408	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	50
PID 1132 wrote to memory of 2248	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	51
PID 1132 wrote to memory of 2248	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	51
PID 1132 wrote to memory of 2248	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	51
PID 1132 wrote to memory of 2248	1132	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	51
PID 2272 wrote to memory of 2208	2272	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	53
PID 2272 wrote to memory of 2208	2272	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	53
PID 2272 wrote to memory of 2208	2272	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	53
PID 2272 wrote to memory of 2208	2272	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	53
PID 2208 wrote to memory of 2012	2208	cmd.exe	55
PID 2208 wrote to memory of 2012	2208	cmd.exe	55
PID 2208 wrote to memory of 2012	2208	cmd.exe	55
PID 2208 wrote to memory of 2012	2208	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
"C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\SGgcwoUY\OgcwAwkI.exe
  "C:\Users\Admin\SGgcwoUY\OgcwAwkI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  PID:3016
- C:\ProgramData\qmUIIcMM\uAkAEwkc.exe
  "C:\ProgramData\qmUIIcMM\uAkAEwkc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
    C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        8⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        10⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        14⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        16⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        18⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        20⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        22⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        24⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        26⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        28⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        30⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        32⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        34⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        36⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        38⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        40⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        42⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        44⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        47⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        48⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        49⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        50⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        51⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        52⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        53⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        55⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        57⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        59⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        60⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        61⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        62⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        63⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        64⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        66⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        67⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        68⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        69⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        70⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        71⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        72⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        73⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        74⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        75⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        77⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        80⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        81⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        82⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        83⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        84⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        85⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        86⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        87⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        88⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        89⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        90⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        91⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        92⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        93⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        94⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        95⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        96⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        98⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        99⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        100⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        101⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        102⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        103⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        104⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        105⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        106⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        107⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        108⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        109⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        110⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        111⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        113⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        114⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        115⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        117⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        118⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        119⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        121⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        122⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        123⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        124⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        125⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        126⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        127⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        128⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        129⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        130⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        131⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        132⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        133⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        135⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        136⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        137⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        138⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        139⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        140⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        141⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        142⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        143⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        144⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        146⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        147⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        149⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        150⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        151⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        153⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        154⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        155⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        156⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        157⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        158⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        159⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        160⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        161⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        162⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        163⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        164⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        165⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        166⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        167⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        168⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        169⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        170⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        171⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        173⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        174⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        175⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        176⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        177⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        178⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        179⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        180⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        181⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        183⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        184⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        185⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        186⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        187⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        188⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        189⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        190⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        191⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        192⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        193⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        194⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        195⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        196⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        197⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        198⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        199⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        200⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        201⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        202⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        203⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        205⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        206⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        207⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        208⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        209⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        210⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        211⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        212⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        213⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        214⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        215⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        216⤵
        
        PID:7824
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        217⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        219⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        220⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        221⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        222⤵
        
        PID:7428
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        223⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        224⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        226⤵
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        227⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        228⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        229⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        230⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        231⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        232⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        233⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        234⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        235⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        236⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        237⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        238⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        239⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        240⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        241⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        242⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        243⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        244⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        245⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        246⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        247⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        248⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:7252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        250⤵
        
        PID:8328
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        251⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        252⤵
        
        PID:8504
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        253⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        255⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        256⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        257⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        258⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        259⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        260⤵
        
        PID:9212
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        261⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        262⤵
        
        PID:8444
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        263⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        264⤵
        
        PID:8672
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        265⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        266⤵
        
        PID:8904
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        267⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        268⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        269⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        270⤵
        
        PID:8564
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        271⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        272⤵
        
        PID:8784
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        273⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        274⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        275⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        276⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        277⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        278⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        279⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        280⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        281⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        282⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        283⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        284⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        285⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        286⤵
        
        PID:9312
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        287⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        288⤵
        
        PID:9492
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        289⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        Modifies visibility of file extensions in Explorer
        
        PID:9352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8756 -s 512
        286⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        Modifies registry key
        
        PID:9016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9132 -s 512
        284⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        UAC bypass
        
        PID:8756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8932 -s 512
        282⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        Modifies visibility of file extensions in Explorer
        
        PID:9108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:8092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        UAC bypass
        
        PID:9004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8584 -s 512
        280⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        Modifies registry key
        
        PID:8324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        Modifies registry key
        
        PID:8436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8776 -s 512
        278⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 512
        276⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8856 -s 512
        274⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8476 -s 512
        272⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        Modifies registry key
        
        PID:8408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9204 -s 512
        270⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8920 -s 512
        268⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        Modifies registry key
        
        PID:8992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8704 -s 512
        266⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies registry key
        
        PID:8772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:8728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8440 -s 512
        264⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        Modifies registry key
        
        PID:8476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8244 -s 512
        262⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:7908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        Modifies registry key
        
        PID:8092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9060 -s 512
        260⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:9092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8888 -s 512
        258⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8712 -s 512
        256⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:8736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8532 -s 512
        254⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8348 -s 512
        252⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 512
        250⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:8196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 512
        248⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 512
        246⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 512
        244⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:7620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 512
        242⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:7924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 512
        240⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:7240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        Modifies registry key
        
        PID:7236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7504 -s 512
        238⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:7772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7752 -s 512
        236⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:8176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:7292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 512
        234⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 512
        232⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:7444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:7548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8156 -s 512
        230⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        Modifies registry key
        
        PID:6596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7900 -s 512
        228⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 512
        226⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:7728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:7688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7420 -s 512
        224⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 512
        222⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 512
        220⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies registry key
        
        PID:8032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:8048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 512
        218⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:7868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        Modifies registry key
        
        PID:7876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 512
        216⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:7708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 512
        214⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 512
        212⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:7360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 512
        210⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:7172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 512
        208⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 512
        206⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 512
        204⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:6216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 512
        202⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:6424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:6316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 512
        200⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:6732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 512
        198⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512
        196⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 512
        194⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        Modifies registry key
        
        PID:6312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 512
        192⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 512
        190⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:6912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 512
        188⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 512
        186⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 512
        184⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 512
        182⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:7016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6796 -s 512
        180⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 512
        178⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 512
        176⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 512
        174⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 512
        172⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 512
        170⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 512
        168⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 512
        166⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 512
        164⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 512
        162⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 512
        160⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 512
        158⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:6096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 512
        156⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 512
        154⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 512
        152⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:5252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 512
        150⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:6080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 512
        148⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 512
        146⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 512
        144⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 512
        142⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 512
        140⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 512
        138⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 512
        136⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 512
        134⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 512
        132⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 512
        130⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 512
        128⤵
        Program crash
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 512
        126⤵
        Program crash
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 512
        124⤵
        Program crash
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 512
        122⤵
        Program crash
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 512
        120⤵
        Program crash
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 512
        118⤵
        Program crash
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 512
        116⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 512
        114⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 512
        112⤵
        Program crash
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 512
        110⤵
        Program crash
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 512
        108⤵
        Program crash
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 512
        106⤵
        Program crash
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 512
        104⤵
        Program crash
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 512
        102⤵
        Program crash
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 512
        100⤵
        Program crash
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 512
        98⤵
        Program crash
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 512
        96⤵
        Program crash
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 512
        94⤵
        Program crash
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 512
        92⤵
        Program crash
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 512
        90⤵
        Program crash
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 512
        88⤵
        Program crash
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 512
        86⤵
        Program crash
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 512
        84⤵
        Program crash
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 512
        82⤵
        Program crash
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 512
        80⤵
        Program crash
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 512
        78⤵
        Program crash
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 512
        76⤵
        Program crash
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:3300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 512
        74⤵
        Program crash
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 512
        72⤵
        Program crash
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 512
        70⤵
        Program crash
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 512
        68⤵
        Program crash
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 512
        66⤵
        Program crash
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 512
        64⤵
        Program crash
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 512
        62⤵
        Program crash
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 512
        60⤵
        Program crash
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 512
        58⤵
        Program crash
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 512
        56⤵
        Program crash
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 512
        54⤵
        Program crash
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 512
        52⤵
        Program crash
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 512
        50⤵
        Program crash
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 512
        48⤵
        Program crash
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 512
        46⤵
        Program crash
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 512
        44⤵
        Program crash
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 512
        42⤵
        Program crash
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 512
        40⤵
        Program crash
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 512
        38⤵
        Program crash
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 512
        36⤵
        Program crash
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 512
        34⤵
        Program crash
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 512
        32⤵
        Program crash
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 512
        30⤵
        Program crash
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 512
        28⤵
        Program crash
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 512
        26⤵
        Program crash
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 512
        24⤵
        Program crash
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 512
        22⤵
        Program crash
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 512
        20⤵
        Program crash
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 512
        18⤵
        Program crash
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 512
        16⤵
        Program crash
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 512
        14⤵
        Program crash
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 512
        12⤵
        Program crash
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 512
        10⤵
        Program crash
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 512
        8⤵
        Program crash
        
        PID:532
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1604
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 512
        6⤵
        Program crash
        
        PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 512
      4⤵
      Program crash
      PID:2248
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2672
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 536
  2⤵
  - Program crash
  PID:2704

C:\ProgramData\JqMUcIEk\VAgQAYwc.exe
C:\ProgramData\JqMUcIEk\VAgQAYwc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JqMUcIEk\VAgQAYwc.exe

Filesize
952KB

MD5
2472a8b6bc57360f10441525e7e89ee4

SHA1
00e704ab13f440e467b684cbfa84f5dbc5b0c3f4

SHA256
5a9ea6913a6fc069ce6e9a720bae314c5bd2a635d44e529d93354a955167f210

SHA512
f47552ca3443630c6e1e977ba53f3adaba85ee0b520e96b1656f8fc9c162a12963281f0ec6871550d9bae87e7a91f491f318b98a3d84a4eab4d16e2404d7e471

Download Submit
C:\ProgramData\qmUIIcMM\uAkAEwkc.exe

Filesize
954KB

MD5
37e736e830b634217b1f6fddb812df42

SHA1
d06dcd1d0da30e98a7d4e6a39b89592064aad884

SHA256
2a1903061077a86f19ced75ae5feff0e297b8be2578d53c627c0a74e13dec5e0

SHA512
2ec1d89eaa93213bee9336e1c8f7d5e2c14bb85649065da4f57898a8e24f7516eb6687b20fda7a8d6c68800651b9356eb9a8fae5fecdba39af8c08dc475557eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgAIEAAI.bat

Filesize
4B

MD5
5af48fe5e87ad133d5a8698183e56127

SHA1
c3634fbd9c6b5bcd05210040a4cd0492a1d83832

SHA256
240d72ce73800c733ab939290a94fe951c9ca587915c79b636067d3ea170edb5

SHA512
f12d63e95f7c6de6dd1693193a452e82a799385a47216432f660c335b84b1af5723be7c8a373fa37c6a34ed13569af929dcab4c6fa8a8eb4372a1b35caca00a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkYMAYME.bat

Filesize
4B

MD5
b5e156660a229341a62c1ea9632972c0

SHA1
5279b97c6bdc51674b9a1339645baaa2bd2cf35e

SHA256
26e26d0d082a7c8366a51c63d47a5666859c7a12d20ede5392e5817175669d4b

SHA512
e509651ce8aaf050ff625cc026db64ce953fd16873dc9ca34130acf313b09fab3e86a373ff45b7219aa7742b4c7e7a7333ac5403dc917419cdff1e1a2cb6ef14

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkwccwkY.bat

Filesize
4B

MD5
2f4f6612b5b51d06d2df03ce8cbf0df7

SHA1
c9cab14ea6f4917f9ea7311a79add2df766c8ae3

SHA256
a252a77c86e72fc9c2127c3c7c75b3364ac61381d806f8907d0cc03e11a4144f

SHA512
f17a3c1c36423ff90881192657fd845d4eebcc4d0c97d8f9be2e3018981e37f455c4f4973db4adee9f451a9b311378fdc9241b124936399e5b6676cbc487617f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByEYkYks.bat

Filesize
4B

MD5
a21cf4d9874750de1d8f8477856229ac

SHA1
9380e4c0ec84ee9f93dcfcbf5176ff2cd7da7386

SHA256
77be9efdbebf8ac3ead9b22bae2cdb23bc1d739f64a62beabe1d10a5b45fda93

SHA512
6061f067445e976416f89c11a1d4a1e313d2394cacee43d9a35fc0e54224ce19cc16bf02aaaf8875ce9e5dae8d781ee2456660dc827551bc63c368f43b71767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGMgMskg.bat

Filesize
4B

MD5
20f6aef3b3a014513481cada91d96cc4

SHA1
dc32d6bb8735520825134317f1db238f5935dcc5

SHA256
d64699c7ae8443bf73ca4d63cf4e263cebcc24092ad4748f975bff710e731823

SHA512
9813c3719b114efcbb4d11d3102c4178b6e037cde442cd1e5c337761698df8f5a79d886404c527da91adc8a92259f85f4de12a7e397de2dd24143553c8857cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUYcoQQc.bat

Filesize
4B

MD5
0905ac3c98a85fbfd73d3261db6b152c

SHA1
57812ccb91ea9bc90213088c2792e36b818af6a7

SHA256
0486abae274bb4b1abb3f1eccafb18669161e4c295de32c13a15390151b486c6

SHA512
2b10d4dffc5b1cb49e9d9d7dcc23ae0b5aab33012ef2545a5847b5876857b5bdd0c996144abbff9ee63f59f1c544adc4af4fd947772b7bea8d7612d3fb8d7fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEUEsIM.bat

Filesize
4B

MD5
e01369dbf5a97817065b569c593720f9

SHA1
7dbcc23de34088fae06c8f44fd0e65c705e05100

SHA256
6652ef778b976c8a157a26943b05d2a91b77f8e9e281dd844442eaa83afc3bf9

SHA512
510f4d854c8ca818d5055b5ba811a2198958e35f188010d5a1b1fb067da708798ecb62ddbfd5ffd1f8986fad17e6bab07119fd56e54f5c854078c44a441f79dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIgMIgYE.bat

Filesize
4B

MD5
dccaa14d8c6552d3b93c5a4162e0052c

SHA1
73cf48db8b040a67c5a154ec96052f6627c9403f

SHA256
5bad5cb93dddf38bc3a4fd9c51b774c49f64af1ae0a4185fd83ed3d2ae59f39e

SHA512
3001d35db37553c97f78865f741bde1c82d69deb1ca3358a709f020170f5a8400c97624eb96a4a9c4f3d32d41c32d0ad62bc35fb75c995eccd437d72dbf36f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcIYAUMU.bat

Filesize
4B

MD5
308b5a9fb84b32e6ce682f776c4efb15

SHA1
7387116d7ec0808fe6e0af060b8b4c0e98a2fe47

SHA256
a52b28bfec1cf9a872838aa5a0d8aff0e54015ae921485693d77dd75c7747d45

SHA512
cece8ed98b3ea33f704f8b5ff7fe8c47f5ed37249cef8476234128f94b26aae918d1dda56484e301b648c0759942ad8b3a9f48173dd82d1d6d5dafad297c0d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\EeYIMgYk.bat

Filesize
4B

MD5
32685e1ec6d3472e8465f145bfaf8535

SHA1
c00b39639d9d48b0499b94591e6ca2cbdd356122

SHA256
dba908eaacc5e7bf214461ddb40eaedbbb3d6cdca7495b367973ac1e2e306b12

SHA512
872a31a0e6b3eacd53da99f108de908e495a2ec81fa6ad48301fade0d6668cfda487ec76f9c0723e42cf3ab9a60734b8325721aca3654f76e886a0ba789c957e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EssEwcQU.bat

Filesize
4B

MD5
20a0159fc89ab6ebe085e04249dd74bd

SHA1
a9ac784e5323569247c055fb49c35a4fa2eb771e

SHA256
defadc043e1a4813e21ee1d74b3d7395f1eb2a8c89a7873275554530e8268a46

SHA512
f97f54b6f35eaccdf4330e4da29c4ba715c2057a6f9f23dc2c203351c25d635570efb0c1a01a653bb9fb3d4a47eb5be0567f5f3dc7b3ab31b5bb1a695fce8315

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuYQQMgI.bat

Filesize
4B

MD5
4ca59369766c07595a90ccc09a2f10d9

SHA1
ef31dbe14b7f5065705dd4d6fdd227f4373b4d3b

SHA256
c4d24233196172fbad9929c1badc5d45a630882af2a96f922781d619841880d7

SHA512
da3aad48ad0a50de45e12750a63b633af7092cf03c48b6f2b623f9cb18db98555f64a5453be5b8e58f9623afc98d8eead0eeb468fc813168f34b01949f99627d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKYUQgAg.bat

Filesize
4B

MD5
288319383c35d64f99f5fc0672aa4f0f

SHA1
4dee37253ab916f81f062b9134eb367549e791af

SHA256
76f3a6299ae0cc3899506f65d68a30b5324879b54b44c72955bc198e2689a34c

SHA512
e2c25e18ada70ac4cb1d5286af38c56c7b1bfc6e09fdc999c14c8f347e531e4b3acaa7039a46ed8d99dc4cb772633459f871dbaf40dff54b0c3d64a24a470796

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKsEgkkk.bat

Filesize
4B

MD5
b698e03802acc84e26272ce02efdacef

SHA1
83ff92c795f0e446d11aa5d4b31e80f6ed3cced1

SHA256
f75ed59facd47d43913ecc2da9fbd606d603c63f6bb436ab81fff686b1a4ac7d

SHA512
817ce8dc4825308784d545e89f622a48b2c74d9885ea4763e83879a8d193b5bf488005ea02fdfd6fba7ed472b35e6ffca3f2112307eb368f0b156be3ac57bc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISEwMYcI.bat

Filesize
4B

MD5
d133ec13589004e10480542212c7b0ba

SHA1
788e83af9418ed7dacdf84e427db1201a04a7e94

SHA256
f05a4cc5c5a1528f15f047a36702fb05572325dbc9dcd40e0143be456404567c

SHA512
92daa174738b38f480a65407641e31d37f2db51bf4daa6487c6be03f4957934fa37be2bb026cae45f202f7ef63ee6bff5a5d9144411cd9488bb959ff22aa400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IisEMcIU.bat

Filesize
4B

MD5
5d94f8d5a845547071faa12a1285de11

SHA1
524dce193476a21eef42d6decf5648b77774c7ef

SHA256
cd78f79181fdcdccb35dcba38a22bfcf3b329c036651dedb027249b68a0a994c

SHA512
f5a8d56fa1daf4c93aa64d9265afdfc7a105952407d0bcabc6acff47c186fd0c49465e19ba748d9bcacdf35b8df6eaf7975b4ab98d3b4ae6281b1a19f3875d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IqQAMwMo.bat

Filesize
4B

MD5
e245cf5d18e87104bc717c74661c259f

SHA1
55f38d86e037ec4b78bce6043a1771ad3dd4be00

SHA256
b6dce4cc22f7517fb928edb5f912e68d37f0c7124b95a7cc8c5994176471b9a4

SHA512
792ff61586ee10eaa2c0aca5efccb01d6f02613468f3136b58471b09ce7e17c410ddb94227187151496ba3e9cee1a7e04ca5bd43de817e38a85d1c46aba16b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYwYcEE.bat

Filesize
4B

MD5
f5e60415fb7a1faf3d695811b79cfc61

SHA1
456e88b3aaebfa4810378793b73c75cf8f58f16d

SHA256
1e2141a496e3ac254b8365d724bf41a543a322519cf43f3b98777cb43bce3ea6

SHA512
04d5993cfc09a0f9034948fb12142aec6dc16dc8f5021cc99cef044ff1abf7ffa93ef4061dc06d313917e5e661c7f88dff46c6a1b2dd418f3b107c9c98be1f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuQUQAYQ.bat

Filesize
4B

MD5
26d540f42ecce949ec3c09172b5d3f0c

SHA1
45b65f9dadb4d4b36abf6d4e233360cbc1307bea

SHA256
786f17778448d802afd94492a10afe0bfc09ef48a17ed6c085183100d8f07bb0

SHA512
d7e4b2854329e260f90cfdab17d9d9c0dbe324ca82f2e92c3fc03daf8c2681c7f3bc783bfc6d9fdb4aaa97aa61047743c26fd689248a9676e66f6679e6446bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIcEEkME.bat

Filesize
4B

MD5
9bd04ee09041c14ac3fb7a91fc253656

SHA1
ffa4bd7a97cd7a4481294959f7d32bfb33efb86e

SHA256
b3a9d87e86ccc0213b08f0b5249122e28b149a7f10b65443e8ce994c5776e979

SHA512
ac13cbd61349f5962fee02cc356eab2de02db34789849376b89fbad54d047e5502ff2df3597eece5998f8e5c1deb2fc7e00f83da9facb5e494e2e88374ed5545

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOYQMMIg.bat

Filesize
4B

MD5
2b2dfbee55d287f6d0fbfa7dcf1e80a1

SHA1
bb2c1a02f9c858115c483cc81bc4f41da34a8178

SHA256
ada26b727f85846e89a10af5adecfa05db266b8b757af282fbc1992a6a3a2692

SHA512
7157aac3309d299c76547048424742dfb6839b13e098d61714e563918a0afe75e4380f72d82bfdad2ea99ef0e934a27563e5761e4a7b2d820c350977c7ffd2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSQskwco.bat

Filesize
4B

MD5
51f7c10e79fdd260fbc5e80f76befee1

SHA1
4dc40a769c5e18dfe43abb0c09dcdc5b69427572

SHA256
13cbe9cd2c3f4c2f76f75fe10c7b91fb65b21ea19ae3c4fb8c5df23032bfef80

SHA512
adc60950456bafce283bb9803df34a0c286bbad04a8df249558100b13db2551f53bf024897b0fdb955968583bfb2a4a65ac53172c9c4dbb65f2a05653662d39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JecUoUIc.bat

Filesize
4B

MD5
6bc97f6cc4f1ab6025fd1880f7e3d8b1

SHA1
9fbf4088a95268effeb6c4a42a29ceafc0a44343

SHA256
3e0c5ff6372eabae6cb508cc33cb7fb2f7a14e475bf0beb1541f1f4c4aa89408

SHA512
95190d4d1d95764f20df4c340271f5de3ee5a3a136beceb7221b7f2991a5da0268012e10b944024ffd9191596fd32442e05ad38dc0903916934c6898791ec406

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMgoEEgc.bat

Filesize
4B

MD5
f45d862ebd0c30819aa48754bdecb109

SHA1
baae2826a79257292dde6bf2b6835e8f2d4c88dd

SHA256
e2b41415b856fd20d23cf9613c395f330e5ee9e8cfa348ed1fe3669a18da735c

SHA512
b4ab0a5e734879a4325663f8ffc65c3b90eb4e81de7d0622fa0933a27d09996061452dc0529684feb5c25f44f6968a88f50817f06218cd3950fe1cb0a38f9cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOUgsQoQ.bat

Filesize
4B

MD5
0060502eef614494801209b1a88936b2

SHA1
cfb4b0899317302b540b35f08e0d4375bfb151f4

SHA256
e14fb66b6f7845647af95366c12d2df794d7f04da957ffe48568d482c88c0566

SHA512
3b49ff084243e00ce609bab348eb3efaebf2892146ad380403dcaa69fcc4253f738c79898ab37113b7b35dfd906bf5ddc540c89a6c4153329db67cd55ec29aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUcUksMY.bat

Filesize
4B

MD5
a8ebfdc91b9a240c862840d4b280b3f7

SHA1
0a3e7b94e735d39a3e2aa6f9b95914ba4785b2e7

SHA256
8d8d7f05ab75d7f2bc0c395545686c236e32b19eb6cecbcb99d13b635c82b671

SHA512
2efda31544b5a18bc149eab66196c3075081db22fafe65088c7a7db4b5302e342c783971968106057f56286e01a225154840010d12b308052ee7bf64428bbb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqMswoQE.bat

Filesize
4B

MD5
5e034e4bcfc7da306da6e02dc82ab42a

SHA1
c57fabe6628356cd9a0ea03776fdc5cb7e813714

SHA256
763e759e832972964a9a49d8d1d11ca50896269f8b14e16a7203acbc9acf0204

SHA512
8af78717d71efb801583cd9c46625b61e85cd353800bee47a4321111aa6c6db18a2089e030ad85a3322f7285892fa1c1bc4f0b22c4be8e989c7cd5d1dca04431

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsQQQsQM.bat

Filesize
4B

MD5
981ca74caf10324686419cc57d36e118

SHA1
43bb362a79bc8f90d4ac0009e8c738085a0b83fd

SHA256
1ce0e0c4a6aa4098bc178c996e937dae7b530daf8d26e39bc78559ba1e9969fd

SHA512
ee46a352caff50ff4c646de6257d29c76bfb8f0d0010fa7fb75c0933208516a74aa86ffbbb7a29e1f2a2cea47084ae48dd49d4e2b0ad9dec1cd6af20175f34d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIkEkcsw.bat

Filesize
4B

MD5
e0d44cea511da95cfad829a4a483c6c5

SHA1
c9b14584d3f57a38ab496a616b06b51830960d17

SHA256
73db35d29fb9395fabf3c71aa1d90f85c5d68baa40b0df08db54097c9683b27d

SHA512
0db82060827838cd5ead7befdefb054b76f5529491a566a13aaf7f89dec60cbe0a84f07457f03324eaac7378eeecbb649f1312af279b7eda5b86164951d81ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYUckswU.bat

Filesize
4B

MD5
584f2c9382e368d92adc55c5d1808e61

SHA1
cf7cf040b0fe2d0e2431305d9eab4ceb5e118835

SHA256
4e99404c8da8bf226bfc6cde15cdd36140aa39168f325e4d1d1bc59d5b14abf1

SHA512
e9d9aaadb813e555f345f68e2514e33556da9355fadc6860bff47ccbc36b88901ee6507b708b3291b62e303b1142a8b337824059ef937bd32c58f3737bb21e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiAYocsE.bat

Filesize
4B

MD5
559763171210373dfd13d6ad3ee52c18

SHA1
2c28cec561992857f61d7ff0c57f493acf617037

SHA256
fd9ad4726647538fe71dd98eaca9b61339b4b592cea0af71c977a11d22c88893

SHA512
bd87f33e7a944996e2659abe971cdfd55103b2d5f8f5a2e53692c7f088b59bcac908f07f84d1faa5b4c3c113dd7c5afc998c86c6b170915ffe96b3b3262a569a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LyUwMkQo.bat

Filesize
4B

MD5
b2b5458ff11cc93f0cd6b9a0d62e1735

SHA1
a85f1e287d9773844a895b352fc812982bef9ea2

SHA256
d745e73c10f9b06904db90e966567bfd8c9fe67aee0f8792d95e8ae96f0422e7

SHA512
75ae274dae012d8f0631af4482f5d784d46979c87328e494ac16d9a8b55b43fdff878a98855b9fa622b97093704cff9ead4f71d50ca6711284c0bd58dfd44ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgoEogM.bat

Filesize
4B

MD5
d708d01381ad192fc07c005afc6b1794

SHA1
61dc59c4d793e8a23cca7dabb4b99aa0d32922dc

SHA256
20d1b02ea06eda6e8693a5bef590bb8a1307c9ca5889cb2732402f5e6d0276f8

SHA512
265b5dde4dbda88ffe0c88e2fd81e8d6a36a59d0a4ea04c1bf8f8b3fe4cc20d1f2166de9ef0d0c8bbcce00c78febf133b6f71abefc194a8dc7391f7fe9ea6d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoYIAIkE.bat

Filesize
4B

MD5
42accf13d6829883797315966accc281

SHA1
cd427b07e24eba8dc8bd76b9686c8c00b3c3c440

SHA256
6a355a0328bdccc2e78668a1f8259ff30625e1939a88145a3286039758f22705

SHA512
c7381006a01ea675d60f1c98ccff8f9c7596cb276131553330992fa66cb5867a516507a62077e0aed09ea81c7fed750db327d6d83094da0c68e6d9d7ef8f6601

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqMEkYkg.bat

Filesize
4B

MD5
64537657012b6288db2fc21949d87026

SHA1
ccd661057cab557418d3a17123e59c4667506a65

SHA256
43da5ffe614aa6dff0451bc8bcb04795a739b181c591e05bcdac4956ee958703

SHA512
cc5c138903db959e065b9212b80e2e722d9bf41db76d2c5686d5d96d0af93952f359a3331a288d6a45977803a3cc84eeec0bd274a15a99f6de2cb9e37679641f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MysAgEcQ.bat

Filesize
4B

MD5
e82bd52062406850f0fc15bd597792b2

SHA1
d22c0a68aa1fc4511832b21a81bcb913c6cf9571

SHA256
6719e803fc4c02331e5b6581a995199a9189b5aac03710213e1e5c09f95dc857

SHA512
ba8e7ba325d8ad3a387608e9c099992951568de23917586249b67a9d3e1ac4bd36985812d4c3f698fd745bccf1f4ee6e6b0715c45dee9d9cb6ea8f2da3067876

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEwIIoUE.bat

Filesize
4B

MD5
329bf2ba4d21655008ceeb2b84c7ce44

SHA1
70d856ea6fe820cc812843ce237962ef64b3ebd9

SHA256
ca1c5abd81c02278141c747eb6ce5404224ec9a7ae70fa600a13b6ed71fc9818

SHA512
88dfa14a6cad3ec532ca8ebc6996fd7c03a3141a24dd7fef161a7504c1e209380217eee62b6893979265c92b0878e3525a93d2afab287c5aa771460ed703de2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NScowEIE.bat

Filesize
4B

MD5
46e1c88fd07d0609c8f8645d1a45ea0d

SHA1
3b987d1fd2f9f4ac4b4e6117864e49f87aa8df8f

SHA256
32287c4161ff30b6becbadb4072edb979980d1706191f63a79d0310ce87c16bc

SHA512
b86a22849084ee6102803b66d12b5846de238e86f077f3a207302ac8ce0f92768081ccae75228047522cfb16b8f60212520fc72981a893ee857597fee8b03b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSwYwcwQ.bat

Filesize
4B

MD5
5d6900189cda02f6630fde2745276e8a

SHA1
68ee8cffdc860ef7bb04ec2da1c6ffd8257dbdab

SHA256
1c8ce1c97b11054bc8c58b2b984a803e39887ef53d26d320abf004cc64722175

SHA512
8929e41bbaf4634db05d534617c9baa19abe39141fda02af781d1db70138f2a30771792c7fa14ff400d5dab0a994d4d57e808861c02bcd310273223dede9c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEAkYoIU.bat

Filesize
4B

MD5
1292441144dd79777deb3f76b9dad2b1

SHA1
1bbdf761e0e71566ff114586c923b85fa3eeea71

SHA256
c4a87764b4189087b0cfcfa3485557cbdf49e299a0952fe4789dbc6343cb4f92

SHA512
0f29b73406263aea285208307f51a89f405a34e19982b0520557f60e3dc545a6dde8b15d8aa8d9de883bb3b7da315fd3e7abe45dce0a1172033ecba547c17ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqAAckok.bat

Filesize
4B

MD5
1aca5ba6a72cb777644da0e9130ab9ca

SHA1
5b9bb39bfeae71feb41fe9a6bb2e52b70d851b9f

SHA256
e2d4c33f875e76089b8dfc58ea478cc5f1840af4e4d58963542cc81ae4ad8c64

SHA512
4086fe06d2fe2b3ab428efde5d8ea02a3b3f18b7008a39fa232791c511d7b0ca4f8fd8448df9b93cdad2f5fc59d41e2b2bd3c644d5fc62a876b3979a186a190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGMIcsgc.bat

Filesize
4B

MD5
c3ab57f28324671da0229d5717e4858e

SHA1
7bbef921a0851f9b43deb60f560297428e6dfa9d

SHA256
fe23297f54a6fea9c9f7f88b5df7f725f8ee00610a1ecc42efef8b588e54febe

SHA512
81851a82d6f04262fca1bd94f39318858f092a064dbb4d23286ecf28f5c34026a9b2cd1c3d825e1dd63813b15acad5aabed2ee2fc012c85483ce7832a27d0c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGYUQMYQ.bat

Filesize
4B

MD5
797b7b6b800b7994cb92b8895224ddb3

SHA1
6171590ef6bc178e84eeceb20041b42aac0d83e6

SHA256
65070031779155b84bc706c069e990035f43aea2cbff03f5048fa6fb0548969e

SHA512
98ff48a231f7e7df9bf24bc5fa715dab1993c88889df952065c109339b6cbfaaf8c770ace3e1a4780fe44a721f99a66375e09a5d40d26ff1716b07f2a5fb75dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\POcoYIQc.bat

Filesize
4B

MD5
66148bc30299dffc89216666702160ec

SHA1
f9b0ab5d94266fb33b2a3650bc1f10d3eeb22382

SHA256
9eb042bb78e9c47dac13dc699c9f3766e39f97ae52fb570165b8631b2cd28dd5

SHA512
02b92ce654e25cb0a4bdd0335e3103e4944b80969897cb61a86246ce975b38689e8e33df16443e2ed57a51693f27e8e875fe648403f81e9d733449e4f2553c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\POkswEMM.bat

Filesize
4B

MD5
c2317f30580860b0142ac5eed8cf8fe4

SHA1
94ad6579aee25e919e18eaf36910042afaa6a49e

SHA256
2b303b2f2ad35d94b1219218e3b59fccc9ae61c1f5fe3f966fc58a9738b7067b

SHA512
b7324df23a0f1f5be9590f6307b26751d1b8768bb06977669df64fe14a5b70e5a6ec60a9c8a84eec2501636f2241056c366e307119d9b23e2873b2c1dd5e2421

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaUcAUIY.bat

Filesize
4B

MD5
0491f142761091429ace8b78019ebbb5

SHA1
505c1164da55b81b93723e669bffb79b6ce8d802

SHA256
145d52eea7e146cb6642fa54abc1d254de9b43cdd7a0f331bf2068634ab353c9

SHA512
75f5ccef3ca42bbb42790a4a5ec8a81c1d14fa6383f19a8cb4dd08c3fb4c9bcbf007dcd90fbada066ee3a019c9268f0820de11f4ceaaa98eb148854818a79bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PusMoQYQ.bat

Filesize
4B

MD5
2f1fa18817f0296a90f8e5c4ead74447

SHA1
5c70cd713e47bd0108c4f293d5dc4d06af2fe1b2

SHA256
6c7a46497882ad05e61ef14c6f9d44c1a7e0c4c191eecdef1651e9438b8ddb33

SHA512
78818f308893ea5c7bfcfe7c654b74472cd457de30e7e13713a870671000d96873fd2042b1336700b678d5743dcfe5911a4856c7f87443edb994dfbbb6c1aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGAcgEgg.bat

Filesize
4B

MD5
b609789abf44c84d4a8aff8c74ce04fd

SHA1
171c6c63ac9a0cac2e07e78727845459bc57a672

SHA256
a1f08022db90eaa066c1e70935018701e248125fa6ad8d0e67a704efb1077ccc

SHA512
4eabc4f54b8dfb68ac17baffd1cf6d3cdf62456f997455569b8cdeb31de3805271d23731efb2d84737901fda60c8fc857ad480c7601ae42e04b0c696e935efcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgUQIAoE.bat

Filesize
4B

MD5
b26938f6a46aea9dee558340f0aa5e0f

SHA1
297c47378a2a7e5d33662149ed0f8e8bceb73084

SHA256
7f0cf2f738290bc448ef99b09edde920a8a8ce22b912bcfdecf234f0c4d88ba6

SHA512
4fd9bcad6208ce8a67b5081060d5f50cfe95bfaf4407c3b160526991ea95a9f9495b0135563f10b34730d2e33a254452ef4fd734756865775ffa07ab40d7eaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\REYEUQUc.bat

Filesize
4B

MD5
529991e74bc8e80ce982f61a87ad21fe

SHA1
5799e315454436e56b5cd838242fd7be228f6238

SHA256
55943547b9999f8fbbf600ac5f180dec03b1a904aa6f56ddb6aaa68a3b0f5bf0

SHA512
7814e64c54ea04f795a5fdd462a99d3b26eee7684914a36a98e14f62898155408f90b4e57efc6d36b91a098907cee02900016e2923ec145bc1b8ad4012684ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RecskgYA.bat

Filesize
4B

MD5
e471d9138a4dc867c403e90ef2ed38af

SHA1
b5184ba4cebf28dddb736eb4b605bafff7699569

SHA256
6838e14bc7b8599c59e2beb3576412bb12813cfab7a78d0a8e7e7382bf49992b

SHA512
cd1aeddffd099a77f79545078a366b9dcc7f2553f7c3abc2a4f80c476bc97515af31e2fd1e66d98b80d059ebde2633a336abcc08cb89062a92ec8424798f0a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEkssEwI.bat

Filesize
4B

MD5
fa0836679be902dbfa2ea76e29b7b11b

SHA1
3fff4a55f57a17492d18664e1cbce38dd04b6b09

SHA256
a029ca95cad484bc4a9454089100c527340cb4eb87213305699225fb12e44af3

SHA512
e0c0eefa39b577e208d726a4772d08d00651d147f87a86081812190a855413ef358927114c9272f865fed77704c2e6534edae00349f1a5feddf44733292e4c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkcYoAIk.bat

Filesize
4B

MD5
acf1d25f6526d7dcf5503f90d4f3434e

SHA1
6fc4dfa6a74407ff4058220973c480881501dca5

SHA256
779c32bcbd704ffc9dc0e6b10e8ec2eb6d61f3bd8df299121cbf79f553dac40a

SHA512
c1596c365ca5361dbafc176ab1faf1df96e70ec89c10c93f52975f8a952d52a5eb960db35cdc0eec9e44beb2cd0ab6e341fc89f7dc98c0d069a449155b9cedaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAQwgYEM.bat

Filesize
4B

MD5
42e3bd3ea52475bb5c9c4f17dba91a06

SHA1
18a2b94beacebc901664b8f37acd427b4ac4be7b

SHA256
f852de8f59f98aa9d1f2eefc70f4b49e850bd7167377733ff08ec2e9c3c0443c

SHA512
a98a67a87a0f4e339d18463d1efc176dec12716bc1f594f498f2257b51f7f748154690e888a9c1aa531ca491778a5542128d9c5471a9b0d2fa0909a38f4ec836

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUoksoAc.bat

Filesize
4B

MD5
df5baa78e5393705a918f162d14b4418

SHA1
c5c7a29ac4f484c91ebfc89736e345e1c7517d87

SHA256
2d51e5464aa6775b0fdde318ed097e4c8d707bae691641ccd3af6ecd729ace1c

SHA512
aa51d95791fdc422fcc7b73d9f321b50784c414ef1db6ea15c5b58aed0aed34a816b3cc542ee84ad0371dbb83d4bbff17671ad82e4a33112e12a8deaa36821f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TagQQkAs.bat

Filesize
4B

MD5
f8b3d6a7f7e57becd929b60fd75fcf34

SHA1
07171f8a18822b50cd60773cd89af0f9f6822990

SHA256
1bdea69e24d15d7c2954b3df91a037acefd9c28585c673ff7356ee1d2b28d9d8

SHA512
68135f9768db25bde20a59f86339e495f5e0ea931a1ac7ca58e80f835858540a1c7adbf59989ca58c96aaa01940c08bb6d78c683a8d9d28ed5e037025b76b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcUUUAEw.bat

Filesize
4B

MD5
6585cb4dffb2f703da8f27a51d536082

SHA1
85bad2a4bb4b5b6f81d441744c773621eafc73a3

SHA256
89e03d5b0929a2aea81e1897e6e2b112bfffed7e79787bed893201e4b2235f1f

SHA512
cb21e951c9474d738ea5749c809b72176c27b57da0db219d11507f894b9efa7dd34ca2411ce8ab5d7344d869a693680ccbe3903571578d4af758b33d9a8ce907

Download Submit
C:\Users\Admin\AppData\Local\Temp\TescYkAA.bat

Filesize
4B

MD5
3a73351b88e87588dbc87f57bce7c648

SHA1
84f34d96bb5b4338ecb5dd3430ffede1f4eb6416

SHA256
4bdd3055de150c708128f4903bcd5f40e2b6dca51c1a4413da7cfba54e4a2c46

SHA512
33f5a72d539766ed78b0df886d6094ccf0e83b4c2df3883dd0d462488119e92f9800aa4137bab5edca017f68783a2607b8fd10237df3d9f458affd491f9fc7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiAwsIkI.bat

Filesize
4B

MD5
47035ca8e734366dce8955d927cb2b67

SHA1
cffa381b07e472c9937f9f7c4bc5fda262b5f535

SHA256
8fd90f95d4c2245816c5095c03ccd0573ea81d66578779c83a009c938c8094cb

SHA512
7c5b59d4501a607f82ec617f49cbc4225516f320e8e6d21de6ab9ddfbbc6295cf41e5f7dae2cb38c1beac5413fb580d8ce05c6494dd55dd750e5b1523554581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIEUEIMQ.bat

Filesize
4B

MD5
52dbd76143d99e31826489a825bbf95c

SHA1
cbf34ab1848ce8a1a6b9d7e9a418b14f724e72cc

SHA256
9b14fd6444e8158912164cb5da3ffd7dd4eb8b6c645a0f3e9a5a673813d0f0f8

SHA512
033893964720d7c6c4b97e724176574cc2d752dc0dc8ca9826bada964cc15a87ae1a1e7c83700869492977230fe9e97eef91cfd2dbefa7d46e452105b75b7777

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWYYswkA.bat

Filesize
4B

MD5
05c501250cabb832e24519f9dcf67c55

SHA1
d16979bc7b2825ac3fbdb75fc422583f793113f9

SHA256
ae09d3c1e1901ebb1a7c0f928d6b30ef683b08c92e456dbfb5dd1b851f546754

SHA512
d1b057688f2cf3f456f99d35f439c55676cd150a074506bf31133e485f88ab0c27d3e77908fd297b18e8559a69db6f2499aff9cf0c86439a042e582fe6109d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\UooMAkws.bat

Filesize
4B

MD5
0568a53961feac3576c41a73d2016f56

SHA1
a025b4c0accebcf35a89fe852d58777e320c9549

SHA256
be5499fc14de7c3b291504f639a74c4852726b3f2b21225a7af25c44a088e7cc

SHA512
457bf0debd7c653a413c55c3f7f0fd87b68c96fdbe229fb600bc1a4bc207d36a320a1d62bac5927b762eec137940c6376b532112091c512d45aa7fc9cfe18beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwwQYscQ.bat

Filesize
4B

MD5
5ddd19b3907d52a16f1408d4930f5adb

SHA1
267a8feed8b9d12534d32584df59b20ad19a02ed

SHA256
da29b939b12437188b101341330a7824075d8d66710b49ff3e27a3ab12c6a55f

SHA512
98368896f93dbcc9fa53ce0654442889b2b7450257fd7953e03ec43e897f7783b838e0f6cbb809507ea94f4ee6cd777d1ee39bca37a4b4c38aacd7f4e092ba87

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWoUgUMA.bat

Filesize
4B

MD5
8bc7465989e564de2f7079fa1d2663aa

SHA1
cce8bf884397ddc09451b7249879ddb68f2171dd

SHA256
7c39a3e596f087ea97db66d0a0168bba9e7dcb82e16d44a3e866cb488339880d

SHA512
03de7028edce1f5865e21337fff4aef20b70d86084294db2e37a2bbe26d4e8ec8d2e8f3e86aa27171bd6c3384a538d0e7c3b5aa9de4e16b31ed6563d82471abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOUYYUcg.bat

Filesize
4B

MD5
cf621468a11433b1dc09ce4a293f4e86

SHA1
66ae05aaa0abb3da307c9007931641c7bb1923c8

SHA256
b1ba74470462497202d4f6d0b4915a0012b7a0fa9fabc75151aa73896c487d37

SHA512
1b27176bbebfb9359482bbdb554287cb62fc464525cf39f3ba7d2045c3935b05018eea6a1828b8278e640db083579981dc70e65d3f25ec1c1afc99c37c8bac32

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQgEQowk.bat

Filesize
4B

MD5
1d117e82aba1c7db9a83a6f123f9931a

SHA1
38773b4a7ed95d83c22f094b8971142b11297087

SHA256
a1de84a72ec488c4158e4ca4492d29dd84225afd26ecd73ada7ffa170c7b8abf

SHA512
6df2a39de58065dc68f55f42567aa312f123ab1270dc643b208a3bbcaa4455a2e74ba08f138a4a601a858ab9a98f1730de368efb8562135c41456b25d669be85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wmosgwgw.bat

Filesize
4B

MD5
9789275840d6b5a5bf9b5f4a3bae2690

SHA1
4776a61d2fe426f4e521ab2e9bb75becaabdbc0a

SHA256
33ac2de98f1a5a89b768ff9fd5f5f80593e43e1d1ee189f26d0789d7ea60d937

SHA512
d060c65338cacaca5ea956effb789e0423b6c3f1c0f631fe00d626a7dd5b6b6b062c8cd60e6ea5985cc0ae7c716a8249892e657f6d86b5c88ada0f03cbcf461b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAwYYowg.bat

Filesize
4B

MD5
da0e51c303eeb0a78d38472578706b4a

SHA1
51706cd860bca695cdf3efbe41309212ab291969

SHA256
96eae260b9d8aebab6abf61cb9434e5ecdd053ad0f70c5dc64f41385a189bcad

SHA512
5bbc2520abc897f2a50162b29e46598c21f628c3597e67b0b9207239e6ab77042912384467546a6fc27a556cdc6d5f41557018bb1f2bae2407865b315c61fbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMMYIogA.bat

Filesize
4B

MD5
8c3d75f272cd3d2bc9d66158093e7f63

SHA1
47204e910af5f4a82422562a1d4656a58a1e78e3

SHA256
a15e342f1dfe077d8f8442fada3404339bb62b332120a5af39ae0b96605390fc

SHA512
798530cfdd2d2024fbe3843f433bac334c8c16ccb3815a3b3514776afec0e6e80e8e144f8c9c120e0a9c42dac6d560958d7259806efc1aa811aed1b82c145d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUAswcMw.bat

Filesize
4B

MD5
72b28155d22484c8a700820f3cce70e3

SHA1
e4dc48443ff05b9b04bb016cf1fc7a35746dd3b7

SHA256
dfde3351edd990a5469266b26a8a9eb869f5c27ac5b661b0ae74d6f62025a1f9

SHA512
3d4d0d428c8728e33a1c3b09d04b16eb4f785c3e6167acf2e91e685aa8a3362b696d1c2d7b13ba7661a076e84c3920d6e22afa0853b1e1820ebf82f0e6084682

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqcYQIkU.bat

Filesize
4B

MD5
cd508e685c7c81250b78a2eadb52e654

SHA1
931cc41eb6dc21c8c7ee91cc805f4ce73ce57329

SHA256
579698fafaa52f5ac54df869048946bcd4bee5772413117d23aece19e5b5d09f

SHA512
731245007e946309988b76edc1abeb0f9179f446c196afc8d75e4da898712966ee3cb6e2e7ff8ae8ac52716ac0aedd3c3700896d9ec9e63dc4fff36d8539c6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSgsQAkk.bat

Filesize
4B

MD5
f586a82debb4e679935ab584b1360219

SHA1
61ac67896aadf8eaf7826f340330d571ae8e2fd4

SHA256
3960166321ee76f8a1b872ec392828d3407a67ffdf3a9a24afd27ff31d3b656e

SHA512
014c18657fac7ce6f117dcbd2f8f8b22c16de42d834965f9f1638118ad916fdd98700499a58c655a9989a090813690e99911c489784451c557a6c6cba7fc8c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\akcsEscA.bat

Filesize
4B

MD5
721439d86976782c591ecf957b5f8a9d

SHA1
25712107fdfab9db780f87d5320cfced12a9b45a

SHA256
d02df8b5b13d4e4dba7b589f772212ed9adeb214e1714cb40ab8373ef642e30f

SHA512
83b3cd26a45a292a9af328b02d1526850b5154916f39c260c379efbf36561a8e687d170cc30313029be43abce09a8e79d2b3f9e43b5bc0d62352cf5bc8c5a8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAUMEgQ.bat

Filesize
4B

MD5
c7fcc87a27a417ca62b2778fdbedfe3a

SHA1
a5c0adba1402802c72c0f45ed686da0610d03448

SHA256
df8b4d8ef6d87217f608633f3acad50f26417eff82b282463a543362845f8d32

SHA512
45ad1866f142b6699a1ab5b861497e5993907ae0abf8b2124983b8c62a10cd86d5c29a07ddc9c31fb58d145742a9bb24a802ab67f9724bb93c0152337e9a5d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYUIYYUE.bat

Filesize
4B

MD5
415ce5fe413f3b53d6b91d4c8011bef0

SHA1
ff571c8919ca2a2e2cfd78c95c84f2d5b8cc4e7c

SHA256
5739f254fe49ee991de3b62704c0d33cb9b40211adfbc803682f32302a2df1b6

SHA512
7d25b009a9e0f19b21a0165e676aa95d226209f17684d87c1a0b07cf7df84d5454d463d043080217b095c6741c5ad6d29fed8f74f3e62422cdb1d8b29bdd1b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmowQIEw.bat

Filesize
4B

MD5
ca2a1232d0f47e8d1e23cb5a3f2248c8

SHA1
611b7f374b02cd21573e72a45d545cf931516032

SHA256
37bc28f89635b1a7315a77b04df349f99a440bf67ae66ab2d1cf20b3711e45f6

SHA512
3c8db57f5dedca2107bedc9230c256a8c888b19bbdb44b76f22b2b11f7739ee395a7917a5bfd3dac2c904a30b9dba02bbc20014ba34ae80d2726ff9e8c4ce958

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUMccYUg.bat

Filesize
4B

MD5
693674c34b12c5048fa57e0ad5b9a944

SHA1
ed2c1de13fece14f4fbf5bc6907114d722ba5f31

SHA256
b3c2cbd5c4529cce5b61a00cd2cf18621ace305289c4f69c8371c8cffa273993

SHA512
47fe4621b9f4e95cdc746bb7b374d64d3edb3fa30c93e220e25091fe967c7b0b5843d41df1a0bba04d337e02469851d155c26165ef9c81dc154ea9c9af691264

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccssEAIo.bat

Filesize
4B

MD5
420cbcfba9c89ea9bdf9b4f5adf28273

SHA1
b97b7a4bbbd7f8f30a5ae74a83fee9e66971f885

SHA256
016bf5f2041af9093d3895d42f29a8bcff14bf82cfa0921e945cd5146ba9583a

SHA512
63e9e06fc9291062215199e6b7e10b071714e09dc66bd95326f5940444d71f5a7cbe602c16cc5e40071496642873a2d457dcec5a4fe30215f63250159fa4f9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqksgcgU.bat

Filesize
4B

MD5
399f7d19dd107b9b075e1c12c068673e

SHA1
476c0b9c45ee9d98fa25dbb8afda7c54ba6d0ba4

SHA256
5a4c92e85b3475b7a8fd54bfe141f2543dc69174a6e295a7183a70f54053d415

SHA512
32f88618389924e7bad32928973c7fba9963ed22b0601c7c1d3e66ca0a14cbf86fa2939d2bd2589e14a7e9461f67d34efa9a2dba180d6fad26796ade5a951e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkIssEsM.bat

Filesize
4B

MD5
422a0c347afd02804a28942fcde65bf1

SHA1
6ab78203b135eb3a01b1b2160c510a8eba5beab1

SHA256
f540456cec72d9286b377fcd2e9f249f1e897eab35691ef3088460af36f7c21a

SHA512
a145f2215cea99c864813017a0d065c8bba5713727e3c4e7e371bfbf8680dea65d3ba335c18038db8dc0274d57914973efc99c274d9f26c92f1d20fd09a56b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\dywAYYcU.bat

Filesize
4B

MD5
78cb182790c409d7b9ec35882c320f6b

SHA1
710326eb532bced78a33c4de243c846f5ae272ab

SHA256
68f0c53cb0f9fbb8a88207523e22f123451724a22a53ae265a4bbe9e0fe98b99

SHA512
9010ab95eafeab1ebd375c1430334139f4b54916286f2b369fff6492db69dbe0a9849f3175f09f2aa22679cb9f19c55e1b59fdf1555a9c2b5b7dc9d89b4a7d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgIcQos.bat

Filesize
4B

MD5
8f7525b531db05a4ce498c14678d0b3d

SHA1
2e4f20236c85601e71c583b399ac6b0c9a702e02

SHA256
b262c7d78f3d7deb95bbb4664b2784e1afb57791dd28cb2bb59e12d7d672f639

SHA512
36789546a21209dc4fb48ec45ec3e86e8b0d803f6b366c79fb51ac079fc150bf28b11447b04a736b8381354ed760b815976c8557239a6534d37caaee52fcf31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeAMosQA.bat

Filesize
4B

MD5
4c86a35ac5b286567b374249eff2ebff

SHA1
6feb2691c6be361d892fc6eb9b68a44a5b59330e

SHA256
3eeed86df3f77574b97dacf214a117997fd5d6c3904ae099258ffc07905e7be5

SHA512
a22449a48ad1780f72f740df867a3947d09629e9c1a5320ac3c002ebcfe6a41913259fb7ed7d76a2c6ef856cc26d337e2392a8e17ab39a7b52663c7529a6510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMswQgok.bat

Filesize
4B

MD5
712ec15bd7f5ec3c86dbbfa3fd0a7777

SHA1
08c9abbc4ced47852c64af9651ddcf6d7b2c871a

SHA256
f4a2b34dd8bb1175d4d755051ec3bbd94c3d2b0817ed1bc41fe4c8994af469c6

SHA512
01e45eabf88da96bf04d6dda5afceaaeefed6b8b5630dd007822c142fecffce9b1ed6e0baba9b134af0d0efd450abebe44780fba8a8e016e7d271d23ec2eae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOYkcogc.bat

Filesize
4B

MD5
8ac81cbc4308e01363df47d40cb17690

SHA1
8daa79f6cd3a81b2dafa139f69a1c1835875f8a8

SHA256
3421130c80fbd9fc6abe1716b18ba1d476bc6a693ec7cfa794f5a6df46a84b56

SHA512
a2406af64870e634e942b904df11c0ac711c89d4d006a37f060771cd33660bfc7627cbd5b265ea120af863ab5fa6f9a560e9280d90bfbf9500b5e8e725d109a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSIMsIUE.bat

Filesize
4B

MD5
2f7987792ee0318b1b177077858e6f48

SHA1
fc9788449191585a4b071a883dee4d02539eb09b

SHA256
f5441655bb32b854346ef3c413d1f4eef3729cdfca07169ed4d6c323958e498d

SHA512
36b6c454d4742dfa12c06bf6fd462fda45bfcf4b1a6b2ac5958d558b45c66b1fb5df637ed777849fec6c9780360fd17239fbe40591f98a4b4c3036a211a0b1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmcQMkQU.bat

Filesize
4B

MD5
e55eacfced3797e053d91677187ae53e

SHA1
03f54f66b392d471dbeda0e7ca038378df75e041

SHA256
246e3085144af66d21f54b37e9d379b16dd046349cb92a282ea7052b2af47fe1

SHA512
0d73fbe9566a9536fc97c33beaf3f299d40f46266f3cb2c2c72e825e9a10a71a5305155bbd6041c783d40dfb404fbee52239532bda01f58db31f7c8479d311f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gOsQAgMk.bat

Filesize
4B

MD5
ffbdda3b5b74311b5b871eb9b27b1dc3

SHA1
c0132cdfb00c7f663eb1265ccbd32bdaa7311dae

SHA256
37a0cd6805c0e0aef4f5cd6c98d5721a8dc7919f883cf1125a124772a5a6be85

SHA512
8ac5dc63941b48f15f59a7148827077ae9110bad120d954cb905c87acfc2a6cec7a4255cbb9e20b752f92e4d7ed79d5d0c328f6b0bf36e74db94b64b50114637

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggMcgYYU.bat

Filesize
4B

MD5
fdc6031c3c2b542027653e05c4603f59

SHA1
7d3c746932ad9b949b17c43b7e0d7028b6161583

SHA256
60abba543d5b59f4ea89fea624f4bdff461fac5953bf28587cbd66adc0b2f41e

SHA512
085d9814d3dc615442774bb9d6ddf8eb828ef924f5e070db62fe0f9f41a251a47d580542df16e0ccd4c12f91ae9c43e003f1843747e84a0d5b8dc5e0a7fe32e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGQgQcEs.bat

Filesize
4B

MD5
d4106f32f7ca96edcf37af0266030f20

SHA1
bd0dd0a5208a0166443e5c4184e3a89ced804faa

SHA256
085a97d2783afba9cce15252900ac64e2420c512d02c74ed4bbfcc9963fb4a22

SHA512
8f1adb5aa0a861a4d37f419df7f033173bb004948c687f51e839866e4836413f513bf65817d7234a5c6692468871f2284ab32aad79dbc4a78fe3d1b9462a0067

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGgIgUQU.bat

Filesize
4B

MD5
f9e4063ff6c6cd00d7e7254dffc9457f

SHA1
cbcc6558377d934fcf58eafc2e524da40b739f08

SHA256
ab86e4a875b608351997be58de06308c145b9d197a8fb0cf5a18befd4b71eaf7

SHA512
eb2a07dd7d124761b3a935e04855a4bf217af35ef680eac717b44dd9680f9e1f0d535a9033cdb9f1cb95ad224abb29d1404bb2df727c33b78bc1893ecde755bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiokwwgc.bat

Filesize
4B

MD5
4dcf42f5a8fbd00962df5f63f280719c

SHA1
7459adbc5899f47f9df43c5a758334f9c2c8b1b1

SHA256
dd35b02ea9f9929807b5ce9a9af7946d47806f47d5c5ee5719b630980f368472

SHA512
fdf15b2faceaaf0f519964a01665373f2cd212b9b5b93da714852012f323822943aee941715e2673d6463bebc6f28298b7f928a453c51af2d6ad9860aa53b96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqYYAsYA.bat

Filesize
4B

MD5
e062a1599e9b53d20c0a669c037879c9

SHA1
c8be5732876444f16537cbbda8ec3f6b39793c95

SHA256
f789c8bea37c5b591c65faa0c020a36c86729221425d1f3057f12b9380f19511

SHA512
df01cfdec77a59fd48925484fe26010d9b6774efa1267692ec3f1348311b2976ca5fdb92f2f2fd3348a106acf62676343f02d9a66c5af7fee55b6e624883e347

Download Submit
C:\Users\Admin\AppData\Local\Temp\iukAMUoE.bat

Filesize
4B

MD5
40ce6902a30e9ff1012f5fd2254dcf1a

SHA1
281fae32a7fa6b4b725912c5c4677b2089017a59

SHA256
0b26cfd763d4fbde0e17943c192d034f006fa672ce92ec307f87a8b2694f7393

SHA512
b7b26fa5164028b5cd3ebde191df4b1f928dc2265338129a3f55433645d6a709e47d8e2db1efda0ed79b0018d19e9ab47f8f8c11977cfdc3bb0c0076680d71de

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEAkEIQM.bat

Filesize
4B

MD5
abd2ede0feac3a652dc5b50a2cfb4d66

SHA1
e9b2a9e497730e277fa84faf2b957831e4c37146

SHA256
b530ec0da705ddd9b115364d16bdeab6779892ce3564a339ef1cb4a53d856742

SHA512
eabb0dff33e5c71fe59dd59e4d433bc97fe13d13c0c16a78e5eea636846414d04211432d216e300d229b0ab8ef98d8df5af59ac5a01dc4f954fb111b4de1d76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOIskEcA.bat

Filesize
4B

MD5
04bda27891dff4a4e5fcb123344e1188

SHA1
8db03eaf5a37845eafc1a213dd077317e5644727

SHA256
254ebf9e38b57febf3c9fdf836038019010e40beff4e25bcd5d6c2a7f804d788

SHA512
6ccfc759a3026201a6f19f1f8d40350123748ad9473a4e804778c3b164a77cc6c32b1c5af829431c230fe586e77605421f18a69330e8c2261850207cc145c354

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaMokoIQ.bat

Filesize
4B

MD5
215eb9953eb17212c05237bffdf50043

SHA1
af8e5bcc9518f838c425ba3fc1f9307ae8278519

SHA256
50d6c049d11ab56bf8a1138a816ad04f1d8f24c8348862499c9ceeb920dba9d9

SHA512
f55fbff39acd31e51bcf7151480c811042b269e556c235dec6bbf853df744e2a6bb201d8f54c84ebb511561dd8826ba1dd92dba4ca66045001c3475596ac2949

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsQoEEM.bat

Filesize
4B

MD5
188c3b5fcd5752d8f4c8477e329ea5f9

SHA1
9697f099d60544d7c7344c72a10732bf327517f7

SHA256
b61cff16fb7cc38cb161bae5ab57330874eae7150672324f05b6a1eeef14f953

SHA512
dfbb4aef867bca543bc9f558ec7df2639925c039ba393fab6dca73230b17ef9b225c0f3956a11482ff282850d68f717487470a09fdba75b65e1f300ef5c6fb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCMQoQAY.bat

Filesize
4B

MD5
241554a4624c16f4c35106ab37e3eeb0

SHA1
574b1224128fce116de9ff42fd1d684abd9d0921

SHA256
2ddb72b5c4aa1ffa54ab689c4be6346b3cfc6785290246b504c5145e81fbbff4

SHA512
cad745f5576221da483ca9d12df14e2da97a299f7157f318f4d0dc1e964dcfc3b8eea5774c02c219a85273eb3e0016efcc569f9dee71f8c467b3c6c73b62fb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOwMIgoA.bat

Filesize
4B

MD5
d5ffc72d4c4e1f68f7d55737461c9f53

SHA1
71070ebac77754c9fb386e0012161a7c841686c2

SHA256
aa6faba74c8cc23c169f8478422588da952da74b4db1eef4eb50e877c153dba2

SHA512
a7e4b7d5ab8423742dd1c7d2dcf1379278f0178a9bf847a5979b5c3f2682ed66c99fd03694f8048f11d3d6a099eaffada091b952423cd9750e97ac500375821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kissMAwM.bat

Filesize
4B

MD5
4188679c1d8a284ccc41a6b601869e05

SHA1
07a2e25662f8c794e07aa2ef31707338c26b8a89

SHA256
89d19d63941a517f4921ec8496fbf07c4b444537352cc585461a1b4de469fde5

SHA512
3c29c73ad474d3dce3213f46de312b6365600b3c489cf87e6ac42e82df03a24cced56ec30b52c48dde0d5986685b081f228ef3df59fba39d72b8beefa15df9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kokswkoc.bat

Filesize
4B

MD5
8e165c05181f0e6969d172c30582611a

SHA1
4b649b41810081ec40793d719d7543596e7cf455

SHA256
000834985fd091a95d4af8445631c868e078c807a7e86d98e932771729e02185

SHA512
f568caa8ad33a0705795af7bc3e06558ef4be16598216f7a33c10df1b3c6d65f07a130c2be73862f44f3baee995d501e54ed6ef259d1cbf98d14ccf0aa571e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKoIwcoI.bat

Filesize
4B

MD5
0fdd5b7c6030f97c67a2fd1214514ff5

SHA1
bc825594e83038453bb71ae550c9ff029779246e

SHA256
69cda723d77c845fc13f6e907fc50d22a6d8cb1fc5727180952dd2140d6d54a9

SHA512
cfb05eadbe4d9350e1ded1b3fa3667428e89bd459c8839e7e81d12cd2be61b826df9dfdfaf1c322b28c668b556b052c55059c8e039859af786b5e59cd13fec2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKwsUAIM.bat

Filesize
4B

MD5
719f3864dbd2d762ec93c738279106cf

SHA1
27ed30d0b0531f4a43c61340c0a7ada074b2836c

SHA256
b78b8172df674e3c25a08384d4fda735c256de730804666b4ba5db49905592e4

SHA512
86b6580a0829a8d72cd46b444a0f57c860df1446135f5e622bbd2a1f65b1f769073c0f9772fd8429565828d5c76564717ad9e02f332f817325a14f84414f53e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmwocUUQ.bat

Filesize
4B

MD5
7843bbdd6be199bb24ef0d7915f5986c

SHA1
d3490c6e2319b05280d78b694dc0454fdc6ca672

SHA256
ec1e2dc41cfdf0ebaeea15770771f86f26bb6b901ed7beafdb9a4d8fb3946ac0

SHA512
edaa6ec92ee7d8d699a3cdcd64b08a86387b67a946265d0d779bdd3b89f4e710411259854e12bcaae0995d5785dab0e2e0e8e7dc9d964e23fe142d31d097956f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEYMAQIM.bat

Filesize
4B

MD5
0f4f44f00e519746214668e719402fb0

SHA1
911ed4a18da8c0cb2da014946dcdcfe6a95d6083

SHA256
1f76b92aa60bade3819609b25827d50592721eef23a69f77036253fa184b3b0d

SHA512
99396a003f7e9af75bc1198bc01eaef429c3c453450d69f9d4719cce39aa20e68a94ae0285ed83d2677856f2f0257c7f4f3fa629c4f8e670057c3ba7c9d7c45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMMUEAgY.bat

Filesize
4B

MD5
af5bd9c81b82672301d4fa988ceedc81

SHA1
1b05e8c18641fc2629abc9b86b2fa4d9ddd5d36b

SHA256
bf53df4dc55193fe70a9c396a721201ea42616dbfc6d855ee48dd25a45942704

SHA512
a8b48074cc0b0be7d0dbc47386ec5d9ba8f3fb6729974e4b493c9b76279560375788fdd1ba8142d960c391b0829af801f65dc89e732288bf8c8d06938a2a6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWUIcoYA.bat

Filesize
4B

MD5
1cb316fa89b680a08129d93c11f35e63

SHA1
3ae803bc47e9b12f022fe78074c3365a862e2d29

SHA256
ca9e668a112e378534c855cdb2060d6d3849a049c440ad1ccea1f1620bb0627e

SHA512
84710834b2e7573848e06a5a70fab9c45a85450bd4b947a0fd71a379e7266b660e16dd94ec433e7d2dfc842f2acbfea7766788829738ef5e4681a131c6b19d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqIMQoEo.bat

Filesize
4B

MD5
a37fd0959cea3f005cf677ed8aebc07f

SHA1
a3c681bb8d4eb0fffe508075ea986307a24ef750

SHA256
669728df129f825a4fcb28848fd5ea04f3b0107dc4cca330dc537a0215a09640

SHA512
f221401d773ffad87756774702329f85b90b89db90784685d44c9dcb9002b549a84e57ac077e5b31d4c19dbee66213ce7a520ef20b0817a097cee71ffe9fec7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqUAMkcc.bat

Filesize
4B

MD5
0ea4cb37cecb9d6dd2609c19e90a00a4

SHA1
401688be0ac58cdeb95a94bf3db4175858ef2110

SHA256
76d4e9414d8edd415decd17cc5fe9dab96fa9da95e31c824629d428e9f65ce4b

SHA512
1af2812948ea2d74f2e2af18a7753691b8b29a6125308f55256e9835d33536a3b210f456887b4f9edb69a70ac3f5b19031b3b5216003664e8f4dea4c3304a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAogsQAs.bat

Filesize
4B

MD5
6ebd5cf919517bb5d8a7495eeb71535b

SHA1
a78d614f3f1689eb65ea9d6ed6302efaf2ee4ae7

SHA256
c8ca2c7923c5b3b70e2346d0f94ee0e05e5f3725f8db414b3c02319000471328

SHA512
75d7c5bfea6e59109daebda4c6fd2d3c599c77ff0abdd93c7a0a61d399576ae98b0d8298adc27b0daf41e86d744face90daaf3cf15e908375186f718ef53d59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEEksUMQ.bat

Filesize
4B

MD5
0ccc59db2fda1722dfdfd5d7ed4a4099

SHA1
06a139c4d24ad124b97630b1a2860c0b33426fb5

SHA256
3a9e00af95066994fec109c58fe4248b0477891fda7a76db06848674dc7babfe

SHA512
f5253f751f559aa3fa49932b3b904701c647f9f77b0361a60ef5c27e99ff6142cac0ef2aeaf58214a33bf5773d1e0955a8a6157686f13ee8a01131337ab653fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qocQooQw.bat

Filesize
4B

MD5
240cb96216e54b180fad40961b24d668

SHA1
5dfde1bee3ea991a056197ba7fb36e2882612e63

SHA256
519ee720a6d5f31a9a7c6027fda9364dfbe3a877593e1f4ed2e82613676c9b23

SHA512
a9c7855381294bbd5a71413ece89d74e184e07d2e88c41f704a9d9ea0822928fef5d9827ec88583bfff0ad8a3c51b9350192fe96ee9fcbf92b541f24a2325021

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyIAcoYA.bat

Filesize
4B

MD5
7a57362a12a8365114b489cfa019fbe2

SHA1
a2d0f673baa1094e770f2b5229ecc7e02541091b

SHA256
b879e2b2e4c43bbdbe1d59aaa93974909940417096b2969ef7f4f194ac061652

SHA512
072c868ecfaeaa4bee2ed0120f07997ae03972d42a4aa1dfd4cdb8da6372dc143fc49b4d1ee8c69d10998f3049fb96423c900606b3cbcbee0fad42feab02c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\rOQYkswc.bat

Filesize
4B

MD5
a4177aac0b434a1b0cb709ebbdf5a36d

SHA1
1eb2a497a716d03a473c3a3eab5e6be9b35250a2

SHA256
a855e323fea480af23fdcb07ea8b2048691c93d2c61054cf080ac4a4a4ddc21d

SHA512
c231b8f1bc69c18180c1ed04f9f26cf379b11243ddc4ec50d9a9f2e030fb9508841ab333da3281156659fa16b4753ebf5f0ba53fb090eef16c658493efbae5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\riUgIgAE.bat

Filesize
4B

MD5
bc79c8073857297b4c7495dca8c4bbf8

SHA1
01ee2aa711d86faa77fd3c650bef565a0048ca66

SHA256
17a4996f1aca086475c3e95407a809813a2b2d67bfdbde2045e0c17159441a2c

SHA512
8d7ac71b2c5fbd3ba0356cf1f35aaa5cc5a51ee830656d647ff2bad72c69f85e69ec0b348f95737e47d4597c9d6d9b5eba0b5535a850878e6a7fb6638b8ffcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruoEQYEo.bat

Filesize
4B

MD5
dc0815d56fb0619daaf4834cb507d77b

SHA1
640962cc71957fc15353fc2c5eb5c6a693cc69be

SHA256
ebd094c310b62de39a568df5e9790a3bc07673e60ee8a52023de8aa212282676

SHA512
c648c7f5ba66dd16069c250ba4d51a93303f6615872ac5621bb6992b16b1a01f4ddd06246a1ad1f62905bf1fb9aa2e2a9e1ea1f79209c0b7298d370dc0ff20a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEwcgYEs.bat

Filesize
4B

MD5
aeb6b0e7e5414ef5eacc88f1f9423f84

SHA1
f39230b1ab6da5b425f64d50eae5d5771a38166d

SHA256
ca4d29e81141f141e1a10634d021e5d21ef40d301b3487d761630dc90d8a1edf

SHA512
16b2ddb641cfd6b66ade054eb62f3a59d4aff05c9822de52cc3d1ab55b2a3fa38a54dcb54146ab893c45660e031c491dac6d5ede5bc00331a4d16be298c03041

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAoAgUw.bat

Filesize
4B

MD5
72cba8c574e038550c199cbb5f83457f

SHA1
8ed6ac93bf1789638f9926a0aaf76204c86e38e4

SHA256
fd8dc301e932cd399676a1ee806b7c0eba3bc90bc324a3a251ac8355cf1415e7

SHA512
5140854241417e4371f40bf8f06dff2584e72598a8c894b1c3e883bb24fa1fe12538c42cc65cb0986138e49c9ab946969cdfa8782a477cb0de9ae1c7ede03e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsI.exe

Filesize
2.0MB

MD5
c8c775ce48a23e5b086bdabd39358373

SHA1
dfdfe950188a65aae34a96e3b9eac4887b5a7f2a

SHA256
e9accc9bf966f7fe82305c7866b1a0c6f6c7053324b15c16a73e1522fad8467b

SHA512
909940aaf230f3349c8c6d4d08e5fa2234ee0c78f48b9c7bdfe230fa87a52600b57685ca98ab672f84744001467e82cab3da7165817227b52e5a1762bb4b59ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEAoQcEg.bat

Filesize
4B

MD5
2bbdcc9f7093ec7c34afccc42cde114f

SHA1
0bc9dfcfda5c9cc41034f68c7d56fdc24f6726a1

SHA256
01eca5204213e62ffb2c3807e9963fce7394b5c866f1bcabb503c15f9ed53356

SHA512
b5be170339cfa31b8be8e1c46d3e33782511be3f75dfd1d924a5b0fafed555fbaa09342c31d9a283af563183d3f6a99b80d980edb50baf00ea80fb24d35dec69

Download Submit
C:\Users\Admin\AppData\Local\Temp\teMowgoY.bat

Filesize
4B

MD5
2ab74dbf32c9f5100dd5ca516050a64d

SHA1
f3e5054056a180cd1f69603e9fec8282e45109e0

SHA256
9dfb90b702bceab616e0af41d90a27f4b5ca8cf6f6b23d1fc6ec7449fa28e4a8

SHA512
fabb2e291260df7cfee0f7d9f2089829a9786b7dfd83ed0e3488e57243b215614d7a1eb400ef24eab42bcd2d92670ccc8a5bf3bb2c75e5e8e3f40e5200411cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmUEcwsY.bat

Filesize
4B

MD5
bcddf0daa19352b2ceb03bb5979f4e38

SHA1
42b3d07a3f2bb3ba0d34224acbf911cfaf5e9612

SHA256
14c6824f5db388f5deec6b9f30dcc39c0c66d003c7bb4061afd6cc5b81e0a4da

SHA512
55740ea05c9e82ef7c059c02867547d64302014187def87fb5241dbdffc5ff8a8e368e9faca7c087575ce057aee25b7418ce4851ccbceb08d9e9cb84b42a844c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyswQQsk.bat

Filesize
4B

MD5
5c205897ac37891ffc805ab67cf42243

SHA1
2cb5bfa673b499a9995e3a30748a0a10b5923ab8

SHA256
c3ce885f734f0942b8f6e916140fd44ee3385ec457779e97bf023282707f4a48

SHA512
f8c1eeb69db035fc6d928c04cfc10251511997804f4173a590559ae5a54411238dc1a3262f46dda6276caa7de4f6c35ea6dc97d0db3c0ff36fcd7b964cbbeb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukYIIIUo.bat

Filesize
4B

MD5
c483ddbb62877ebd54a830cfb1126e68

SHA1
8a418bd9b24189c76de7123e6d5c793b9c50da79

SHA256
8af94e2a9020bb696f2a702279f47bfa02c056474323a7327f7876639a329c92

SHA512
9b71be11222cc2368c8248e20816b7cf2af4fad94238eeb575a45bbf56c38eefe199444a92daa0bc0c266f3dac1299558f9b972f6d1c9f4b5edd7c2da3f4cff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\umIIUkEc.bat

Filesize
4B

MD5
815192971d96aaa9a3de10837944d956

SHA1
8f3c9e8f1ec951dc1830b1bd209d0e92bea126b3

SHA256
b5eca07e3147d39b1059b2f8b5172b808ec014680b7acb4f4ef4e37db22b1e79

SHA512
3a95230ff04efdd0efce8d3ca486a904097930f5544f8285ebc8c978486ad1ffd2d21974ec4c66be49b601af49123bdd2ea51b151d25750f987aa0800c66d454

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIgoIQEg.bat

Filesize
4B

MD5
a5a52b5ec6fe1a32ec43eadc13b0b82a

SHA1
2bb14aec93a41c51f34a131454f2a07decc53f6e

SHA256
12533e22ac575911bf143a40bfe0c77c07040177cfdd2768f53cda41b5d40719

SHA512
30fb1bfb3017fb3cacbd463374910059870aa2c98d5f4e4511e245fb821db1918f6a850647b21f50a3271fccd8032aa4e55392dffc8c31f8945f7dc234cb4cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vawcAwMs.bat

Filesize
4B

MD5
b8e6f0a50edbb97697d9437a0ba03fb3

SHA1
d65eec767267fd44f677bb7d8ffafa9b26db0983

SHA256
cc53cfba5f4b961a868b1cb9cdad3fa0082529c877dfa7de8445293720717f9a

SHA512
c336e42f20b602c62feb4e64671f3306b03296e4f332454a01e20a82e7b82a4dcb7d077963cc6487c7a067105792638d04e9470f05ecaea5624f5cdcdaf114c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuUEQUkA.bat

Filesize
4B

MD5
cd1e086c83cee8c57e1722a691988b2a

SHA1
1d3df1f41d3081e5956688a25b41849cc18e5c3a

SHA256
464c55bb325029d70939b50a19333ecd36c761630b73d6ae025a8e2f414db564

SHA512
0bd520e9d6d91c309aec0101e14dccf1221ba8558a30928b701d56b3e8cf584dc921bea71576597e4d6d42bb5e94c1870f7172710e073a8a367a1ca4d5d78ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCEMsoUA.bat

Filesize
4B

MD5
8228387b4d6e0aec4af703139809b44d

SHA1
887499de0f754a708301f9d45db86445b285f782

SHA256
5ac7711e13b515de49890380942fbbdfa5875c2891d8cd40de9fb68fb5627fd7

SHA512
156482f3c15c51d50daa602acf95a99caa8b8afded8aed8ca825cbfcdf4411a5251bdc835af8d13db1f8bee2540902f394d132796a96a9ea18d6fb1b620c5c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOEwEMAs.bat

Filesize
4B

MD5
4851f841b17151ab69ecd28bf9f9cc3c

SHA1
847502d4a09fb589d4a31a2d042175acf551f6df

SHA256
3249f228b04736e94e1d6b0e39d0e572c1f6cf80a9f525b0b4ed38610c0192a5

SHA512
40cfccf7d0839b5eb330592647c3a56a1116098bb8006cdd92d3a46e8fc662c98d3ff6b9d8f0e30dd4e43f845e2609a4d1518a6a9d748a44c486590bba403475

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyAUkksk.bat

Filesize
4B

MD5
6c41014c0de39134de1f64b32bf2f538

SHA1
4e041ad9ddde787145967d31397dec1c5e377066

SHA256
7a7288ac6997c564e38badc35a39e8757763468936acca480f8a606f253da469

SHA512
9403a9773103e151cae94593294485232f54f538bd20ac905fd71efa31371668100820ac73f979a2c7ac95f5b9d24ccbcdf38b65e0d77aaf4960528eee81feb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xesoIYwY.bat

Filesize
4B

MD5
7d1222c730b98561b5a3c9be345b6901

SHA1
825c5ad5066fd9987b32a9cb5c48d98952735948

SHA256
f19dc89829ca096c4c6b2fd577fc5dd5ddf17570b0a0c3c71a1e7c00e229c542

SHA512
be64df156210bb1eb17711082b076936cdbce955c5b93908bd3bc59122f981a278716aae694721aa87d9fb8d48cc9c77b1b872dacc6201f2f127a81f80612d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkIAkgkg.bat

Filesize
4B

MD5
7d5ef2282dc872841ca395cf18a163d8

SHA1
69998933737933f8bfbb72d1a3ecc5ef99a1cb28

SHA256
d4daa8caf89a29b9c45809d37d84a0f25c3839572f1aaa1653df779b8b9f27b1

SHA512
0a8743c133c8155720912168076b3a40761c3113d95b83b41f8b4a39728dd8f6160a2f1830cd23374f188064685d3462f804981ccbfcb07759b2d05e5b346b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkYAwcgQ.bat

Filesize
4B

MD5
c0da6b8fdab87e8a14ea435b2cf8f8ac

SHA1
6c6b939dd8194539dbead57b066ebb56d5461b5f

SHA256
9c77a0d6077dfa3e52cf487927949c5833e1dac0d76a1a478b0205ef2c33ecc0

SHA512
442a5d51f60ced73aa282fe88cc1bd8ae743a1f0ca6ee8464c12f6bbc02d163dbfb87421e185c4b6489f7197581407fc483684fa9d3840ed4103667b5954a0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuUIAcQQ.bat

Filesize
4B

MD5
11bdaa8cb0ce2026ad6da3d854d33b0a

SHA1
7678a8fbc61b071d4be0dff6856b34f13c24684d

SHA256
51d4716cead2c2ed976ee263cec7e27dbbdf1271d1e003d7a3146408481f2641

SHA512
24c44d55be58d2239db90041e353b718baeb06722e72eb2c56f6008b1e1f9a0c2bf3616a61f90851442368519f1624f61ff15f1592dd180c89420124924c0a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIAQQIAA.bat

Filesize
4B

MD5
372e49ed38b8f034e5f729f3d7f3c3c1

SHA1
ca73425492f41661c4075047646ab28e5af65326

SHA256
d96e2159ae0e0d6111656455cb71dcc1ea8762f8171dc4eaa51252465e88e81b

SHA512
0fde5d6f54ce72ee16ac10b68e53cd100d3fd4704026836b86351c10854739c63b97c0dc88d73b75579238ba47658c0f341b93d80d9c04ef5dddbbdabac14c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yekcUIEQ.bat

Filesize
4B

MD5
9731cf0acb4b08af9da27643bf1371a5

SHA1
0fe3a3682de61513c7fabde1bf2f38c0f777b088

SHA256
a7f92a35c5ec9da15225d2081ea8b6537c49b077a233b684d9037339e37c494b

SHA512
d29cde2b299eb3ac7149d8039ca156d4affca05299c5038e4fedc123383c9843392eb4b1e87cc25ee70d9db6a994a97ee9a8d6eb6a74d758050b53dad1872ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymQMgcsM.bat

Filesize
4B

MD5
75c054580cb13aff9b93496cb6ff0ce7

SHA1
940924ead5f649f4286a464ac7fa12bf180ec27e

SHA256
84ed29b79bc47bb3fa5f8cc574c23c3ac730842327ec0aa44f4a0213ea97bf16

SHA512
6809e2ce689fc706912009fc1fd456df01ebeacde2a5d2d72c8631374d262a3dd7dc8622760d4a0c50811eaf587bd07e3f970bda46d4e3542b9a1b9d367e4291

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoMQoIQM.bat

Filesize
4B

MD5
91676e1ae42724422662b927f7749888

SHA1
5b55c4fb46023dec9a001a880eb870449304e655

SHA256
64a5036f501af678c0c7985fbe9ee599847c3463926a73d0ddb22346eaf032a9

SHA512
f6137539f142204e4ade8647e76a5c486a0b24e67d54c2cf96dc605c813b38b0533acb245874bfde9f4ebdf40602e52afbb9b60350b0426bbd0bddf393101065

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMcIcMss.bat

Filesize
4B

MD5
6bd6bb7623b6d2079dd769a091d43ad4

SHA1
ba7585e3a4a49b6bf7f1ad94494e9d19a2c6f540

SHA256
3c704d0a978d3ad22d802fc25bfeae09d40cc1a7238ece2b430091809065e6e6

SHA512
e59314a44977c210c73ace3e46eb1cebf3d6804876731aeb7a1035baeb6fb2ea208acec6b80c98c30b340abf345866b9ca6269b3e73bf2f7aac82a1e1d7ae998

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYYEksEQ.bat

Filesize
4B

MD5
75448a24dc1d96464da1efe8bccafd3e

SHA1
9b3b20c0b3c523585318215b3dbf4f17e9b0239d

SHA256
78d358e609fe0035a71bcd11112a290b380244d02e1ec86a6358cef63638a1be

SHA512
15432f4243e3032f70f021be102ca3979c015dcb1d2cdab94c0d6de887fa58079278864030bb39a007846c56666cf31a98d1abcc3887416d117415ac47a0da77

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYogQIQY.bat

Filesize
4B

MD5
e84be78cb731d05d3fd8f4f7fd57464f

SHA1
67ef831b08a09f92e77ee3b246a36fc16b5439ae

SHA256
0658b351ee0b59eca7fbd90e7af14be1f94c0a0ce57b7876e17d5b8363b72c7a

SHA512
97c96aa18f9896119172e2c84d22d7d214c589a0c07c0cba356a095e37952c83b3b80e2bd142043e002f99665092d140230801054fc187f03d126d11cf33704e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziosEIMs.bat

Filesize
4B

MD5
0b2b06351f1b0129793431615e40b52c

SHA1
d0781df08609dc84957bf486d7464df9bd6ffb13

SHA256
9323dccedd0669a549739d713623045e38bcad45cbb7ce26283e1302da6bcf5c

SHA512
b86c578e2177aa3b189f3de122bf371b2fd14e8afc12b699e77901d6ee0f3b15712f8859c8783aacc7bed209f504cfbd26c2f9f526cef488ca75a746b62714fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsIkscUw.bat

Filesize
4B

MD5
252c69be1883f64334cc9049b03b5f8b

SHA1
3c0b92a40899eb2d13e262cc3025e5edc8ea49ac

SHA256
f6b8be8682afb70d9feb1d6d318be64a1775c03c8ba5aed0806593bbb95f02dc

SHA512
3f33a92d6840d057914be66936112f31222aede4e4473d077916327f04561992bee0906aaf451b967a4c1526502794825d6ce6ff08841c9f7719537831eead79

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\SGgcwoUY\OgcwAwkI.exe

Filesize
955KB

MD5
e2d3f33fea8738c51c905a275fcea26d

SHA1
568401e1d380a18b4f5e445a47b1b18c3b4c1693

SHA256
559d779d3f4316be7ed1c45582f12cd5d6f4a44488d5c37d20534ecd6fe76b1a

SHA512
851066b375cd7f33915acf0ff8b85099a4708acbbe76d274fae2f37ed5b9079257d3f9846400af67572adf9e6599217fb97a50d597ddbb40c472f1bcf6558807

Download Submit
memory/2464-161-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2464-0-0x0000000000401000-0x00000000004F7000-memory.dmp

Filesize
984KB

Download
memory/2464-1-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2464-2-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2464-131-0x0000000000401000-0x00000000004F7000-memory.dmp

Filesize
984KB

Download
memory/3016-226-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3016-20-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download