64b02f2048bb52a87478abc755de7a1659c8618cfde1bd03974da20775a2d9ec

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Size

198KB
MD5

43b05ec95088079c4c78a195d6a99235
SHA1

3c8bf9fd4623757f890847fe5c825dd8521803c5
SHA256

fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
SHA512

85f22e329d0b93e624c30fc548e0d9e44b9cd5fa1d6a0ef9e0148677d1a2b1b0350c595417cf8c68a532ef2e8bcccaf762899d44a251751cc84c618474ec9691
SSDEEP

3072:w5HoQYbm7xfb/QtrnDCWPswF9KYt4TeGdJfM5/Pkm/l16jH:wGm79/QtreosnYt4Tj/M5jq

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	yWQUUIMo.exe

Executes dropped EXE 2 IoCs

pid	Process
1176	yWQUUIMo.exe
1804	sqQksMIA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yWQUUIMo.exe = "C:\\Users\\Admin\\wugooQYc\\yWQUUIMo.exe"	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqQksMIA.exe = "C:\\ProgramData\\luMoQwkY\\sqQksMIA.exe"	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yWQUUIMo.exe = "C:\\Users\\Admin\\wugooQYc\\yWQUUIMo.exe"	yWQUUIMo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqQksMIA.exe = "C:\\ProgramData\\luMoQwkY\\sqQksMIA.exe"	sqQksMIA.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	yWQUUIMo.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	yWQUUIMo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
892	reg.exe
5028	reg.exe
4740	reg.exe
1976	reg.exe
3780	reg.exe
4572	reg.exe
4372	reg.exe
2584	reg.exe
4512	reg.exe
4236	reg.exe
3628	reg.exe
4684	reg.exe
2480	reg.exe
1620	reg.exe
3032	reg.exe
3564	reg.exe
4640	reg.exe
4176	reg.exe
3020	reg.exe
5076	reg.exe
652	reg.exe
4284	reg.exe
3792	reg.exe
3020	reg.exe
4500	reg.exe
4844	reg.exe
3592	reg.exe
4884	reg.exe
4492	reg.exe
4608	reg.exe
4968	Process not Found
3840	reg.exe
4836	Process not Found
3548	reg.exe
2776	reg.exe
2620	Process not Found
2236	Process not Found
3760	reg.exe
2236	reg.exe
1800	reg.exe
3776	reg.exe
2856	reg.exe
3440	reg.exe
1404	reg.exe
4532	Process not Found
3516	reg.exe
2556	reg.exe
3020	reg.exe
4972	reg.exe
2180	reg.exe
3516	reg.exe
3628	reg.exe
3168	reg.exe
4016	reg.exe
796	Process not Found
3584	reg.exe
4436	reg.exe
720	reg.exe
3096	reg.exe
1092	reg.exe
1680	reg.exe
4276	reg.exe
3264	reg.exe
3720	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1676	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1676	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1676	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1676	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1656	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1656	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1656	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1656	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1800	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1800	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1800	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1800	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1960	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1960	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1960	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1960	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2944	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2944	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2944	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2944	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1692	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1692	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1692	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
1692	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2388	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2388	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2388	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2388	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3252	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3252	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3252	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3252	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4972	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4972	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4972	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4972	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2828	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2828	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2828	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
2828	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
948	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
948	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
948	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
948	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4608	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4608	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4608	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
4608	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3376	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3376	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3376	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
3376	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1176	yWQUUIMo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe
1176	yWQUUIMo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1176	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	89
PID 1168 wrote to memory of 1176	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	89
PID 1168 wrote to memory of 1176	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	89
PID 1168 wrote to memory of 1804	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	90
PID 1168 wrote to memory of 1804	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	90
PID 1168 wrote to memory of 1804	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	90
PID 1168 wrote to memory of 3740	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	91
PID 1168 wrote to memory of 3740	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	91
PID 1168 wrote to memory of 3740	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	91
PID 1168 wrote to memory of 640	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	93
PID 1168 wrote to memory of 640	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	93
PID 1168 wrote to memory of 640	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	93
PID 1168 wrote to memory of 4460	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	94
PID 1168 wrote to memory of 4460	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	94
PID 1168 wrote to memory of 4460	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	94
PID 1168 wrote to memory of 3532	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	95
PID 1168 wrote to memory of 3532	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	95
PID 1168 wrote to memory of 3532	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	95
PID 1168 wrote to memory of 2960	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	96
PID 1168 wrote to memory of 2960	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	96
PID 1168 wrote to memory of 2960	1168	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	96
PID 3740 wrote to memory of 2536	3740	cmd.exe	99
PID 3740 wrote to memory of 2536	3740	cmd.exe	99
PID 3740 wrote to memory of 2536	3740	cmd.exe	99
PID 2960 wrote to memory of 4616	2960	cmd.exe	102
PID 2960 wrote to memory of 4616	2960	cmd.exe	102
PID 2960 wrote to memory of 4616	2960	cmd.exe	102
PID 2536 wrote to memory of 2284	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	105
PID 2536 wrote to memory of 2284	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	105
PID 2536 wrote to memory of 2284	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	105
PID 2536 wrote to memory of 2976	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	107
PID 2536 wrote to memory of 2976	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	107
PID 2536 wrote to memory of 2976	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	107
PID 2284 wrote to memory of 1760	2284	cmd.exe	108
PID 2284 wrote to memory of 1760	2284	cmd.exe	108
PID 2284 wrote to memory of 1760	2284	cmd.exe	108
PID 2536 wrote to memory of 3436	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	109
PID 2536 wrote to memory of 3436	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	109
PID 2536 wrote to memory of 3436	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	109
PID 2536 wrote to memory of 3760	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	110
PID 2536 wrote to memory of 3760	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	110
PID 2536 wrote to memory of 3760	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	110
PID 2536 wrote to memory of 2796	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	111
PID 2536 wrote to memory of 2796	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	111
PID 2536 wrote to memory of 2796	2536	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	111
PID 2796 wrote to memory of 3480	2796	cmd.exe	116
PID 2796 wrote to memory of 3480	2796	cmd.exe	116
PID 2796 wrote to memory of 3480	2796	cmd.exe	116
PID 1760 wrote to memory of 924	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	117
PID 1760 wrote to memory of 924	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	117
PID 1760 wrote to memory of 924	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	117
PID 924 wrote to memory of 1676	924	cmd.exe	119
PID 924 wrote to memory of 1676	924	cmd.exe	119
PID 924 wrote to memory of 1676	924	cmd.exe	119
PID 1760 wrote to memory of 4656	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	120
PID 1760 wrote to memory of 4656	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	120
PID 1760 wrote to memory of 4656	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	120
PID 1760 wrote to memory of 4868	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	121
PID 1760 wrote to memory of 4868	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	121
PID 1760 wrote to memory of 4868	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	121
PID 1760 wrote to memory of 4880	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	122
PID 1760 wrote to memory of 4880	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	122
PID 1760 wrote to memory of 4880	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	122
PID 1760 wrote to memory of 1328	1760	fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe	123

C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
"C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\wugooQYc\yWQUUIMo.exe
  "C:\Users\Admin\wugooQYc\yWQUUIMo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1176
- C:\ProgramData\luMoQwkY\sqQksMIA.exe
  "C:\ProgramData\luMoQwkY\sqQksMIA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
    C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        8⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        10⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        12⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        14⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        16⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        18⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        20⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        22⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        24⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        26⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        28⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        30⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        32⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        33⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        34⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        35⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        36⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        37⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        38⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        40⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        41⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        42⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        43⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        44⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        45⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        46⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        47⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        48⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        49⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        50⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        51⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        52⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        53⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        54⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        55⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        56⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        57⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        58⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        59⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        60⤵
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        61⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        62⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        63⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        64⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        65⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        66⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        67⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        68⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        69⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        70⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        71⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        72⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        73⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        74⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        75⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        76⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        77⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        78⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        79⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        80⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        81⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        83⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        84⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        85⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        86⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        87⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        88⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        89⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        90⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        91⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        92⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        93⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        94⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        95⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        96⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        97⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        99⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        100⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        102⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        103⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        104⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        105⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        106⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        107⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        108⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        109⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        110⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        111⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        112⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        113⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        115⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        116⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        117⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        118⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        119⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        120⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        121⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        122⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        123⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        124⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        125⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        126⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        127⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        128⤵
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        129⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        130⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        131⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        132⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        133⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        134⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        135⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        137⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        138⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        139⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        140⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        141⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        142⤵
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        143⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        144⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        145⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        146⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        147⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        148⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        149⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        150⤵
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        151⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        153⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        154⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        155⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        156⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        157⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        158⤵
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        159⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        160⤵
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        161⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        162⤵
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        163⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        164⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        165⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        166⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        167⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        168⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        169⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        170⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        171⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        172⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        173⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        174⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        175⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        176⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        177⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        178⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        179⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        180⤵
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        181⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        182⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        183⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        184⤵
        
        PID:4212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        185⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        186⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        187⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        188⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        189⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        190⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        192⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        193⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        194⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        195⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        196⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        198⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        199⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        200⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        201⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        202⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        203⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        204⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        205⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        206⤵
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        207⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        208⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        209⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        210⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        211⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        212⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        213⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        214⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        215⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        216⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        217⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        218⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        219⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        221⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        222⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        223⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        224⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        225⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        226⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        227⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        228⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        229⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        230⤵
        
        PID:1380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        231⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        232⤵
        
        PID:2968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        233⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        234⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        235⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        236⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        237⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        238⤵
        
        PID:3616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        239⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        240⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        241⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        242⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        243⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        244⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        245⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        246⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        247⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        248⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        249⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        250⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f
        251⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f"
        252⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcoEcEUM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        250⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:3168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        Modifies registry key
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoMwMkEA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        248⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEQAAgsM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        246⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIkggQwA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        244⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqYoEgAU.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        242⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYkUcMUE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        240⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWMAowEg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        238⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUoMUgsU.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        236⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nckEwoow.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        234⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUAcYcws.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        232⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CykUckoM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        230⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyoMwggE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        228⤵
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYMwAEgk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWgUEgQs.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        224⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        Modifies registry key
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQkgIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        222⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKUYsMoc.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        220⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XucwAYgs.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        218⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUEkoEUY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        216⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYskgUsI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        214⤵
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goUQwQcg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        212⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcUYIgAM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWcUgUYI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        208⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEgQMYIk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        206⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmwcMgIc.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        204⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGIYkccY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        202⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYggsEkg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        200⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmUAAkQw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        198⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcUAQUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        196⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuYYggUs.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        194⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOsQwYYs.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        192⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tScwosgE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        190⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgwMwUAA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        188⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOMUIIAY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        186⤵
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucMQgoso.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        184⤵
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAgowAYg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        182⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HesEEAUI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        180⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWEYgwIw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        178⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMAEoMsc.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        176⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkEAYcYk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        174⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgwIQMww.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        172⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiwsAIwk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        170⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWIIssQQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        168⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiEQEgcw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        166⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMUUQoEI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        164⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySoIUMgo.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        162⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMsAIAkA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        160⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BugkkkME.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        158⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQAcggEY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        156⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GugkgMQA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        154⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmAosIko.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        152⤵
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAgIgoko.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        150⤵
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScEUIUAM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        148⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akQAsgQg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        146⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jusUMYcM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        144⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsEIowko.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        142⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWAQAgMo.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        140⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiwYIwUE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        138⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgMgYkkA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        136⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScAsUAcI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        134⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIgccgsA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        132⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeggEEYg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        130⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgsgEcYw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        128⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUMcMMwI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        126⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEoIQwQw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        124⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCAgcwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        122⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaIYYIEo.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        120⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOgwEwQY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        118⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiQMcUoI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        116⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSsEoIoM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        114⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkQIkIAE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        112⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmMQsEsE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCIEEQAg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        108⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceAIgQIA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        106⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAYcwMIo.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        104⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgcMIQwE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        102⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieIoEQsY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        100⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIwcccwM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        98⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MisgQsEA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        96⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgkcYUQM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        94⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMUwQQQs.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        92⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQUwsYsg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        90⤵
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neIgUgIw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        88⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOgAwkMM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        86⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqUokQIU.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        84⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmQkMAYY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        82⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqwAkoUw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        80⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGsAsQgw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        78⤵
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MioAMsso.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        76⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyYkIQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        74⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcgMQIAM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        72⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEIsUcww.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        70⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaEcMkMw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        68⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiUMUAEY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        66⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeckcggY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        64⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSwcgIwI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        62⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCcYgMQo.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        60⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmYwoIEY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        58⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zysUoUAw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        56⤵
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwggwIUk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        54⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYgUEgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        52⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKgMcEEk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        50⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkoIAQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        48⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyggIcYI.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        46⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMkAMkkY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOUssEoU.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        42⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSUoIgIs.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        40⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGgUoIEU.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        38⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqAscQAE.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        36⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOcAwQMg.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        34⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUYYwUUY.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        32⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEwsEgAw.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        30⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acEQEcUk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        28⤵
        
        PID:3780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEMQEoos.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        26⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOsssAgk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        24⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqcwokYk.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCEMAMcc.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        20⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIYsgQYM.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        18⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkYsMsQs.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        16⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqUAIEYc.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        14⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwsogMYo.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        12⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIMwUsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        10⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loAkQMIo.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        8⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4656
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4868
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMMgYscQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
        6⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuEUQsAA.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4460
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiYwQIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:3272

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1588

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:784

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
308KB

MD5
b163697858a5dfb733901686147db6a8

SHA1
3b08235a8209caa80e9eb058026969000998e14a

SHA256
4329ed045cda03066103408fb97baedcb3ed71e22a43681b7afec3b6040ea299

SHA512
afbec1f3eedcc85a9d190a14145ba66964be0ba6bd5535d23e41893e66c7f21416ba540b8c1ec981d8b527dfd494e8b2385442c1a367ffd2f08efeefc0a1d9ff

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
219KB

MD5
f0836c3a1ff5f16fab6855cd9ec1ff13

SHA1
26571d7a05bd668ea040b4f635da2128f3bf9d15

SHA256
6096ad396c69f9adf50f6c0eee3e6b346e1407c5de8cc4ecc7d930e95eb18d3e

SHA512
ec01f9b581cb8b72dd8af9bc6d1686cc81ffc9be07c4dc2731d6bc865caf667c7354b379be21762345c25e80d6e7c64093f15e4bf0757cf8f7fa30a105ffe31f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
321KB

MD5
a118d71f513b5f5a608318887a702e95

SHA1
a9c1b51edd552c561a54239d50954af453f5f861

SHA256
3e9b076965f84285d28c9d7ceff8adcb7ab505b431fa6e57c6bed009666a5ba6

SHA512
fe0a057b55baefdc4757d509d5bb3a5e12d809f850d75a9137538461f6d42ff92ce4d5206ee9c18b1046120240e15d24fae5a069ea21a79c00816c42a858a98d

Download Submit
C:\ProgramData\luMoQwkY\sqQksMIA.exe

Filesize
204KB

MD5
7dbad64b50a8d1e9f5facc31ee38a8e5

SHA1
4ff352cb62ebad7a091d8824fae6e4d3b184a2e8

SHA256
be87509d0404b2dbe40745c422361afa27adb5a455d2f4ccc5b3c82154ca468d

SHA512
4dc0a706a347260868879ef63538c52183d9fbc088b09fe183885d32f261f40cad2ddb3c9165de76579f6d4dbeca2b76768bb3461dd4b7715a567a1329b7b950

Download Submit
C:\ProgramData\luMoQwkY\sqQksMIA.inf

Filesize
4B

MD5
7e538e74c02ba6c4d441892c06ef5763

SHA1
7dd0f447fe9c668ac1c45b701274cd2ba0dd3948

SHA256
95be18df76b57210dea0bf28b5c27a30d6424db7823e5b3064d8cc9ea60c08a2

SHA512
20f68daf4e9d20d1492981e3bd55f7da451d69e7ed9da5d03497a2ca66845dd335556686fcc7f4dcabc22edb03f93fe9ad6ffd8aa4d5ea4a8bfab8ff4f0cd2b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

Filesize
185KB

MD5
8f36b737ca449f9a49bb8177c4650fdc

SHA1
fab26e5d2a51a13a36b116bbb8c63fe6dc7c7a1c

SHA256
24d606e4f19865c905a48cffc85c793eba7531a972fe3a355016a3ac5a4f2fa5

SHA512
ea2cb285b0a06b99b809bb8702d8a43ebd9a6b645e7a67d5b0bdaeb9d2455d3798320b99d4750ef270cbcea4df32602268617475eb36f205337195e5d1a3af0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
209KB

MD5
1b9bb46d863cd733d14b68a2c849ee37

SHA1
bc6bb46c068c833c2a8d71a99578ca651972ae7c

SHA256
7efa7575c895569ec639b278d1e8a34d999bce54ed7436803a450275809040be

SHA512
fce285d3ddcd6626eb549f74611419ab39ab6d1c17e4fa343fbf357c8277a3c2d702f9541c368b598c237708f660c67b028a71472c32a53acaffa4a935c9c69c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
194KB

MD5
cbf785d427319cb84ea93232cead40bb

SHA1
37f7c94aad8feb662affcae2e3b37c4ef1a8f299

SHA256
7b3da0a20b05cbeac0552b227a38e20e93c4cc3bbf44aba5d461e4c2fa4b47ef

SHA512
6acdc90817c09dc2beb85678eeecc452336d2b36cc04b930e05c205ed77b6dcf28a251e80a6a0826ca6bb24c37828b824b5a74887a2e101b8ef4401a9c2bebe4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
202KB

MD5
fed1a080f4b1749a293e7d655648240b

SHA1
9965ea9d90cf51fdb9bd7010b20c217a2f940352

SHA256
eec72e3eb6719beac10bb6fc29cd0494aec5503ebbb98f7ef95636ade9b4f48a

SHA512
13ced71070a182817751479716aa72462ea39eee6741f979ef6f265980d75d438bf3314044e695a308e79e0d1d735a382f25e7182798c17336732135313eb8e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

Filesize
194KB

MD5
f5b235026582bc620de9ef1d6084d005

SHA1
82ba19bbdb6efde52d9f07ec192eebf357ba9465

SHA256
126cd05fc16cbc1afb52d2bd5b0c38c31be275237eee3251137b17002fb777cd

SHA512
c27707b74c07c32582007a6a1bdab1c9e21d1c5ba25a9390eafcba090336a7c3d870629100d105eeff318dab11fce718f970d8f5160675008061be1b688cae31

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUIM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIIE.exe

Filesize
193KB

MD5
bee7bf7e1f08d74d352e7ce436caf31c

SHA1
9e5544ba4737157e0a38a620726f91b881c1733d

SHA256
a756f3769e13ba650078e06066ade377f970fecf726d30ec6073dfb5253768fb

SHA512
34151c2d6d84535321f962da2aef4533a8987d0946c256832ccebd8972599899c1f1429c1d87d82d77d369b393f297091df8f8c2e8193f893b45ef50b5d41099

Download Submit
C:\Users\Admin\AppData\Local\Temp\CscC.exe

Filesize
202KB

MD5
93914428ca1d31ee1c2044e4bf6f31be

SHA1
2080ad9b3ddec2a179925e282d875bb96b319822

SHA256
e0ebfce248bf996bb2555ed0c582c1886edd7815c62dc0c6eb396bd404f2aecf

SHA512
9a57275adc8883433fe34c320573a4d742e7a4b6aba7a4194dfd5ec009f9e0d85bd78a02ae89985cb33e7ea8646a4a2306c705cffb4edb73c22f1618e8c258ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAIw.exe

Filesize
202KB

MD5
54657a232010da30ea9e02e4b03e5912

SHA1
33453f1ebfdddf5a992083480de18ca3b9d173e9

SHA256
5d67414c94e9553e29899e20548e3cd73175223d755957a85aec2cb5a6014d50

SHA512
a938a8cba4f444dca6de71339619a51dc24205429a9e4b2316b07170c431166a7a83b9294522ccdcc791780dabda5ef97082ae4af7935ad5f4b92fca52cd6a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYAC.exe

Filesize
801KB

MD5
86bd084bd2fad7ee60b3f0b86de698df

SHA1
0946ba1cf664848c1511012b92f8b308e0156876

SHA256
84c85f603f4553f3fe9ca25ff2da33395124fa1ff860641f365f3afb22888bc7

SHA512
f6689bbc83e75cd2ee111d8dabadb324e3973bd4904aca0352cf79f1a4525cc250d4a9e1e4eac50fb6f993b00009cbac762bfa909863add66fa4e33202ba8616

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYUY.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkMw.exe

Filesize
5.9MB

MD5
eafac9a94a29957f861300255fd6fd81

SHA1
031ed5d8374c7b67c51fb13e0005cc60af2987ff

SHA256
79d756755b1ff500c967b03312b88157be39e62a325a57e0427fa0f5d01e5e05

SHA512
7d70ec1f8b3ecc852e51dd45380edb0dbe3b43314d1e234f0f27be82f64612d151f96677cf155c0d02b790b82640314b0557e276659872db809e0e61e41df2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dsgs.exe

Filesize
926KB

MD5
8f31b7ab554008c0aa9a9c8d57e12223

SHA1
55a5d23afee45670ebd74cee25a15d713ba4fb2c

SHA256
7f74bb0a209615f83b2d776d645989349f3788582e6972d96a2f2f0327a31333

SHA512
8056500def6208f157d679db2b6282c1edf27af1fe80e755def44a8042971dff9be37321c75d86101f411ee4171dbbf8caa6aa2fb4fb7f3efc7e233b692a0118

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIcI.exe

Filesize
230KB

MD5
a1473f5cd4785a2133907c54b41c9521

SHA1
cbd69a5de6dac52e6aeac4424d75121b1f29c479

SHA256
805d7fe72f2a027549706f522499ad9f9f4deb5694f887e91f1687bc5fd6f7ff

SHA512
7215d67db9b291f01ccba1f381d17d1fc0a60a15a11d519b524b81dc0578b0cda2445d7f50234137e4ea4945c46fddb171ca5d308c1c85afd180ef5c73879e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUMq.exe

Filesize
1.1MB

MD5
55da943ce5915457a7eedb2e6b0c4ea2

SHA1
407b4c15cb8371c88461aa3ca1de74364803e03d

SHA256
a78eb1de36848f93198e685eb4b2fcac6d2c15f426f7bcb2fcbfbe6991b460b0

SHA512
686e7ac06fa9c29fd26856e694a52d3b2ef085723ae767023b90423bfa73d872c021780fe21719c73e318a6e22ca8afa93a21eed13243913d391fa16c1d89ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewso.exe

Filesize
205KB

MD5
05309a00d4757068f69f8896371505bb

SHA1
49866308476aeddd231472070d028e046eebf83e

SHA256
cf878b722f3e4691c81388e020045a17835146415ea94cbb1f2803e56c8e0d80

SHA512
cbb30df2623692e653d5b731a2ac1a4fcf33ffcf1fd15706b4b11c27d82923f1db21a397b5e5b7911fbd9e4df57fa5f9e1c8bfdf848d9ff4a02f6427f6ea3d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIge.exe

Filesize
1.1MB

MD5
2236592af15275b3f049fc382cc5d2c0

SHA1
7fe8668b6bfc3bbc8088060d3216121fa465c3b0

SHA256
bd653aac3bccfc93d0145bf4831a1721952c66fa94e58c15b6f38572efb74c31

SHA512
b94e02bc4570e7f3e51d6342c31fe33156a3e9aa9f2e534e4183b8211303737a61b63cf4e9f52645a908debf6ac7a2a3ba6586d7a11e965b8e0ce43874029988

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUQ.exe

Filesize
208KB

MD5
b43722655ac189b15b99268a8e0e32c3

SHA1
7dbdd2a4f536039e4911c6dcfa98a327c53a64ef

SHA256
8c1e259024a29a75ece8aa203391f7f1c6784a0b3411bede899c17fb1ae9148e

SHA512
dac6da08f044276a28a6bc097f364431b539fb50fae09d1fb28e52956eea611d02949ccb9c8cadfb272a984927310dbed15eeafe14a88565b28fa729db4e98a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAYC.exe

Filesize
218KB

MD5
6b2c132329f14da7f391ee4d50039152

SHA1
51d39d5851e662df53200242f696c4dae0af888f

SHA256
e60550686fdf2019763fd87c7b6d5eccca6bfa32ba01aa6e152679c95c1a4321

SHA512
f07170bcd8e81b87df2fd4e78a2a137c899261b6c2142d1f41a7b902463509c946c580ade38dc6b85a3e6b4419cdef58d570798f4342ec36de86016c073ac2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUAE.exe

Filesize
582KB

MD5
d3362a4f523c33235ff1ffa9fe75160b

SHA1
7530d869fbb4352e9e6eb6d1e28122123c30d62d

SHA256
a6b5509f51c0def662bf5a1851de542fee098eb833e87647421ed51002e47738

SHA512
3db2fc6638d44b5d178d947b1aea9a44e9acf1780d6bee5e01c0db752e1628ad1c267af74530e97ae241e577e7d430750d6c18e475f08a132f24ba94d072481b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEoI.exe

Filesize
202KB

MD5
637a09d66d62650043e92f582b525424

SHA1
f9aba77d5f931369f18fc91ab4cf38b0cfe93786

SHA256
c256060aa3caaf7f6be6f6a8aeb243460f53cbdc06311983585f9b2917bbbeb1

SHA512
86b97dd5594c1143c2f4b89a9f0bc42dfff4572f73884dc10b31604d3c4dc11462f4d1d36f59e89b1a92d9e3eb74e2796dfb27002300464786da6017867e8c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIgw.exe

Filesize
198KB

MD5
ede746a3037776ca282bda6835493191

SHA1
4668f3837a7e4a8a6eac694ac4fe601447f080c2

SHA256
ec983f1de88ec48e0794e29381c0fc473520822d93604d3d2a393186af5d38a9

SHA512
8818c695cb2546e05f6cbbfcb1fad91b3dc91de049c0513809ccc29f39cc8b0e9f6330c47950eb15e085222f1c6c20baa71f57f2ea95dc1f4acc2e021128e541

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikcq.exe

Filesize
208KB

MD5
e1c100f8cebe017fafd666ff8f35c2ea

SHA1
c76de2d5e97104245d3fee6b6b70742bb1262e99

SHA256
a97f19695cbc6d3196daba4f40e70302c4b0469f4b86ff3d0c0135d168fb9d01

SHA512
63a7325af15ea29f01f7b5b02908633aa4e71a4a883b9caf0b4edab3b66e0c787085ffd4ed108c55ac9aa170b0a2db5013c040ce5518fb42218601527cd44477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iscu.exe

Filesize
205KB

MD5
4186f1024ec16b92427ae596b423cf1d

SHA1
a74cb45cb00d6ecaa1d3ec2a5e7a46c6b5c2d74f

SHA256
b70419a848dcbd2af4b1451a62e224f43fe37b91fa7217a5f8815ec6b642de87

SHA512
9333c8f52eb2b842ac87ec5bb97f3ef9b3a349a403da00b5231b9ea90a7f7d0b1035048dea3f0292726694b8d678d7ac8e5f0e0c5b45f9c9d7ae33cbbf6a0a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoEw.exe

Filesize
198KB

MD5
15f1874ea6bfd4814ff3a397ae97f87b

SHA1
7ec4f031f69986c1193e238d57a1bc2bcfea5842

SHA256
4c98cbacc03765620f971dcab4ed9f8e9f7aeedd1bd79cbe5103d6738a3493c6

SHA512
7d906f0b4be9f0d8b8251785810d6116b12bf70f7eb7be5cbf3196e25add1f77e1963db0b96ee89852d2ac265f029022c4843d6a8d16f97fcc2b26994987632c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoYK.exe

Filesize
230KB

MD5
9d2e12f4da210ed0ad4dd5ee2dca3838

SHA1
6882e418d36fd94a2bab0515ddeba4b4fbe7c824

SHA256
6e86724751645a82a825f3e1071af12e0f66b8db194e76dda0fe2bf5efd685ef

SHA512
fa3e35049981689e7627c241fc5da52e9589bf78e8c7a93df75fcb2f73efdd93b11201361f4671debf991af4cd91a1c45282a35c6adfa26998d77a3a65459bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcwk.exe

Filesize
207KB

MD5
d70cf268367af5f18d1995b76997223e

SHA1
f9404e96bba6bde7a95d71dc793cb34969f801d0

SHA256
a7a55ee2d9166512335296c7018839cecafcdf089f6b3af5123b2301cf16e4fc

SHA512
0a4dc6849bf0c52491d1490f5018bad5e373a7f6485a5e0b090dd9c8de2d7df9309a8bbeb7843cee25be661bc2dfb2aafcbbf1d5b6f4c08e447c92bb3537148f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgcg.exe

Filesize
189KB

MD5
eefb9476c735a9c1cc3a0f00fc7e0f06

SHA1
8b65b8adc1d6a2e544aa52e31dc480f092234ee8

SHA256
3382a2ff93afb4d8221e814ef6027a7602cfc24451a364f551c6b31759b717d9

SHA512
cf4c40a4090b89a2b54f8f193d28867b3d6efdd2c922c188bbdb9ed2e19c56dfe3e48e8b3d5fdaa89c559ce15a653c9a3e0e3459b3ecd9282a6e9706a6acc43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEEU.exe

Filesize
225KB

MD5
3dc43698f3ec2ec21f1c4d5bbb104b6d

SHA1
56b1eb103a535701ddf8c4d9c891b4fd2b7bd837

SHA256
2d9328d98dd7e57603bdcdbe06ae71acade29d7d67fe43905dbc423f6129de38

SHA512
23595877212b39d1ef978a0256fc01881b1987ed59ae1472a5ca7bad82d8adaa1583be622c2e3910dbb3e49199f1300d111c0706ba3c778ba587cf71450a2c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgYu.exe

Filesize
774KB

MD5
2846b1eb07cb27036e123c022d2d4d90

SHA1
383c0b90412e46c930d98e9c9d891cb18185fb8c

SHA256
583f59c18b43f074473a7b0a43b21c2aa6078240aa84d2e52171fd6533c31bdc

SHA512
d25f4a740ed2fc2edb3b8cfb6b769279909f1b54d7e3cdec6fc7949598a45644283948b47b2ad26edce3083028f11e25f0e5346e61eb80d8b4e43e606fad85f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcsW.exe

Filesize
882KB

MD5
592e0f0ba7c9e6fae98b19f615c40b43

SHA1
773d71684b29307cb311279ec2fce1e87c6c8aaa

SHA256
5d0a53b024c52bfb231ec5cb93d934b8e42611901ced17b3af0fae7e53fe7772

SHA512
9a64139e7d5dd66e96a2c32f626a5b572031b0abb4d885ee118797e5fc7eff16221a09039b4b5b99025859ab59cf67ab406e87174ebd3632574563d4e58f0eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwUA.exe

Filesize
193KB

MD5
a866b0828c3d61cf82e87c964a87020d

SHA1
800fa84b7139f39b50bcd7b5f04180b473f858a2

SHA256
b08750e9712033af14aac16385d85da6ed00d8a62e2d3b1b3b26fb7428f6543a

SHA512
5234c61061fc8a768d12f3dcbe7f170f10a7bf371f67b7421c9e024f4d67aa9cc83312ff328ac786d61ff072c6122056c479afd32fc2039ad705e25c78878d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkEO.exe

Filesize
777KB

MD5
7612f2358d59b9d89aed2e322513be4d

SHA1
a5cc0822a78d0fec2e7ae0a8dd61cefc7100722a

SHA256
3986793ec80c7f52079481a2af38046dd60cd4c3d7613e275e4954bf4d5f75a8

SHA512
2b869868eb50aa4ec246916a63d5b888a1e1ebe8bedcf62faba86df404a24e67b5be54d832c53c74ff88e53ec9cf47bc98378e16f2d0fb4d67e82fac9b9e3b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoEK.exe

Filesize
205KB

MD5
d0c70cc9f8c8b0c6a60a4946d09deb9f

SHA1
1ca4865dc33a23283fbc08b91c94f5d83903cf63

SHA256
d5130916731ebcb92db504754f9fdeaf13f5f564d0b1309aef46d1267fc9c377

SHA512
938e1c7b88422cb81d7a4a021ac7c325b4d330bcc4dc221867a21a18f7f490eb35a4f5a5c2792b591d2ea2081fcf9dc08ef1013e19d97655c11838ceabb36b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsMu.exe

Filesize
208KB

MD5
544d0545e0ecef0462719bc4ea0b0d2b

SHA1
12d731dd4eca90f515c7972cbf063d922f53976f

SHA256
979d2170e5fba2d0e883620a07cd33e941616ce7f5670d69f6cccc91bac29030

SHA512
d2ca2d5a63640f7bc2f4abca97d7561894d6fc9624b4b3edecfbd86e64fdbbd905d3d5106f84221cef0c8818f79e375fbbc08d9b3b0776620e30d7b98e82fb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAgs.exe

Filesize
812KB

MD5
a332b53f0de9440ef3ab0c8dc633d038

SHA1
3eaf993ec274087c8f831e4369bc5b82a31a7dc9

SHA256
175d54812caedb98c09859dd33b5727527c4d3940a078d87f0cf057bf5397a0c

SHA512
c6812e0397a36f5eb741954e32b84e3451fc8765e0fdf1c503ce4cd928450f11a99f1e9f18510e7896caa0cc80dba6fb22f4799dd4b8c4b47eb226e2b03abb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIEk.exe

Filesize
215KB

MD5
b85847f7fef15057351e8dbf79d239ab

SHA1
634e6d24628889eb5a72bf97197781f426a7ab7a

SHA256
f827fd2e2f1949f86edd8f7383bc36c347f1c43dd6bc6aa5e028d6dab5a80a41

SHA512
4d5705d579fd0ffe67e1647af5ba876fe08cd0079b23561183b074d7a3e6ef4baab04297c87a81eca5050dc05c22e9660ada89dba7c6abf941ce025006a9e0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkAi.exe

Filesize
205KB

MD5
6e1ac421938f8e6c5d79f747515b45de

SHA1
2d65f089d93af72cbf76de7123ee1891e692f0a3

SHA256
7ac1776d5ceaaefdc8d5a06d4c7c4422ff86664af68061f37a4fb96e2e56c340

SHA512
358a1bf94537277adeb0c2a2465f7e079545d54da37a2f361ea74c6e4821985468486d5307109eb614df1d833ddafcffb82940f13436d0ade43f65f9ae073aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgwO.exe

Filesize
210KB

MD5
0f73156b023500bdec5e15d2521017bb

SHA1
eee6f65803ad9244ff1477b46779d6756130d008

SHA256
72b652d410e4976b8ac7aae10dd658a716c23328f271c2edc2b9a3ecc24f3b0e

SHA512
92c81b5c8656620c711d6c7bebd2a70b5f88714e38007f96f611130b4a6ffbc25fce0fcce79d23a306b76fe3b35662104e90b26f352b41af571b8e65f219deca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYwI.exe

Filesize
192KB

MD5
5d96c180883366041aa60d84b7afbf32

SHA1
cab6c7d25e80d624850a844bbb11f072e333a57b

SHA256
10027c4de3cdf48e922af3dc9f4f86510ac54034c64b1b86c68bb1ac1fe196a3

SHA512
acc085570c9dd52c31a13b455cd491062419408f3fbfe3f127c83febe15749b8e9f80a1dcbdaacb28c4e31d1d45453bda1060de356aab1762d68248547f73a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgEm.exe

Filesize
658KB

MD5
d3253b3215b3882e931a1482c166e4fb

SHA1
ca52ee728c930ecde4cb302e5051b4ee8f8498c9

SHA256
ddaf9386138d089ef7138a3ac3c4b7e6bed8790fc8d8f231014d9560fbd093ba

SHA512
b54e941181a449cc5a67b000710265bb224bddbe731f16c4b36ef03eba61a502e4d0a1733fc34a8c595f5326d9b066dfdabd9946f2d2a5af7a4234b403995939

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgYY.exe

Filesize
203KB

MD5
816126926348507cf9de333f8f48a8e8

SHA1
bd3e2a3cb33c9569578cd7a5346b0a8d0976fd55

SHA256
4300766adc863a9b87048996bdfd0563774490ac50fc1667c4f571ed261aa2ea

SHA512
5ece478dc6989b6d862c5a31cce9c8baeb5e6362cff861d7708442fae57774faa5bbb19c32dabb31e5300716526681d895ceda1d7c8c5affcceb7619c1e45f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQwG.exe

Filesize
5.9MB

MD5
189ade1d8e6918b0803eacd87e38f28e

SHA1
3debdf327ac6cadf95fa7b3d7db57feef5032e1c

SHA256
67d5a29ba1fa51e58b452c91667380087b6e4f983a313bb863450f61b5ce6108

SHA512
c9d9b2cfc56b53c0fe3f7662b38dbac69a26a2c139dcff97e7e44376f5563c92ea87dda175533e14dac650a0b219f2f825d1e43fa002b15515d9ceb266d5b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UooA.exe

Filesize
198KB

MD5
e46facc5f2defe2d927ef8582d388662

SHA1
f64b596aaa960a6476bc127a682958059b9c4a98

SHA256
994a5cb007d0d968994004d1dc5d0afa66806dd1bb6207ae460882342db4beae

SHA512
63ee1acd733bed5a5da364ab5de0dcd372315aaabf402dea758073354c89f3d2033b3a80daea47f4ac997b8d499a661326cf10caf06ccebe22e1064be0ec7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAQK.exe

Filesize
194KB

MD5
d5ced395e5a20a584428f2f219920df8

SHA1
ba4f01024fba0c2517df97f89f1fd395ee313d4d

SHA256
5d01fdc6f540df73441f4edb070826ededd0e979688c81929999d5ec6cb569d9

SHA512
c45cb8f0f52732ef067b40e38dece1f03c38546d15bc21d1a2ea2fb0def67586b3f9d2257364b876c3f25042d63591b29df2d2fbfe48b85e46dc016556fb74f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMME.exe

Filesize
193KB

MD5
00fe3f65934e3fa93e87b19ed4e4818c

SHA1
2d809c957767254b57c3086c5c4595dc71cbf7d3

SHA256
2e28cb4a222c8cd672d70ef6d2dc0076d7b762b78e3c84c3b9178897c62d6e81

SHA512
e1aba0c69ac52eaa2cec5fb4efb272440459c29b4cfa86a9a5236dfb7a3e9f57f03bb513eea6e16e74880710dfd474b6728a5980e58ab8ff6b03b60609f1b232

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYkG.exe

Filesize
191KB

MD5
af25e17d20dd912d4878b8c6f61eb04f

SHA1
1cee000c10b7b9a4d039e36858f44b72871fb99c

SHA256
be9cbdf21a8e290e50797948a19cb3914bf8fb9c4b15f2e38fe59239d54226d7

SHA512
4c4e513eae4b387e660b73033820a1a757c67ea66c7839d97b966f07972e3f1bde433524e2a704378e2c952230324a22a66e2b4f89678d833d536562d17a3bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiYwQIkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIwE.exe

Filesize
830KB

MD5
f765560f75d4c5d37876b405781a6b20

SHA1
d1cb3e91e8a47ad3e850e40d2345465297d41cf3

SHA256
59ce811fc61afd6a7760b966a9b3e1f67d589dc9575d273ae5fa9250af983ecc

SHA512
d12780dd6906a1dff0a0aeca1da9469eb5a41a7ca3f5299ee20614275634b8493e2fffa4ce526b4a8183b0ec574e2953b1b84526c74165c5059c4fee92cc0c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQMu.exe

Filesize
210KB

MD5
40319e02e0c565af03cfe1a873839c12

SHA1
b132e8a8f49026de3d08db1858eb289c86b696bc

SHA256
fe53abf1ccc52c7fe33a91390d1df624c5fb31796921429bcb34c843d62b924e

SHA512
a1cdce217998989b36371cae64b91442b32cb39e6ed5c0b624d6e37d7abc7a292ce08ff965b78c9aec84f8fd27ebbcbcb5331eb51901d5250f6b08f41425fc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUAm.exe

Filesize
187KB

MD5
73c98c80011382d3e04934c3c6f887aa

SHA1
167f4608160e8c3616cb28136e5cea37ddd613e4

SHA256
4698e214e03c3152a50e94a9ae8f7ae803e3051f44ea7b1c7b3ca42b653a19a3

SHA512
b160aac8d37f222ade06e6a5fb0cce163e2c47a7f569d3b44716ad64ff28ce8da91291615b62d06ad825041f0414831ca5573186fb3baa83565c067417d06775

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkoM.exe

Filesize
5.9MB

MD5
2ed6ec05cdfd022fda24976839bc6025

SHA1
5a49b3bfde06bc8cb61031c2c7af1657e3453cc7

SHA256
aaabf364d55ee9dd883cf66daa4490fc94e28545d46560867f55db652587b63c

SHA512
0a958eec1ed677b8387d344072a0258ae7af321977c59c996eec8bad509dd9df0d132e5ed7163b437b84fe66726d2d1844107fbc91689170240070835da46d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUcg.exe

Filesize
641KB

MD5
9e161e2e4dbdb80ad38f3c8676578bba

SHA1
d991db83a101615a492344b2cd66f031f749b47f

SHA256
49af1474de4d1dac304e5f2c1702dc46914a375b0926b9825d553e3998809336

SHA512
e5c4d7113ddcdab16c40c5fd2d47708a4180ee510152c393aa6c14615120061c1506dd2d77886aaef30a953c0f1c15a27b5ad22707245a45bf8558ac375f026c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwYU.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIsq.exe

Filesize
1.6MB

MD5
15adafc2fd51f24d5e69c295ca30a638

SHA1
72e6255d48bfba2be400f04bb9b43711de571ccc

SHA256
d3b69b376a24e49b5b7b84f463a9794c86e9ccfa1554c87f2ed8f25bfd9d800c

SHA512
dc587f2c1ce61f802ac7bf98703a33987decd7cadac3a0a792249ec9f31ae4fcb42103bf1ca42b2b04e4427faabe03be063782aaffead623a928fe7253938896

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUYq.exe

Filesize
615KB

MD5
9f7dba2710e540750ac8019034af033e

SHA1
f1e96960bc7dffcc128a869dc085393657af9f07

SHA256
2caf2e83f94d455865a32ddff9622bdfd367afea4e04d15182b2ed7ce6ae0d10

SHA512
b7595053fc2fe0e04fadc19b024926ccec971b3dea2363ebe7e8380b124094b0939afc7a9a9dd41e3f88e038ed02fe6d39cbbaffb87b9873e1e22f822b4874ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\akYk.exe

Filesize
187KB

MD5
41945c836d92f5db8e542715ec74897f

SHA1
2f658269ba48f02841d7d8598c3b2cc41985b06f

SHA256
d989b75253cb12240012c853333fff938b5f0a9dacba135d8b97117e8371a102

SHA512
41eb782162c0ab94c39becfce83bb68771d7689f7b56abb3ee612d05c26c20021b9df8b7e24095dfd31d0a0cc59450641f8df5bcca35cb715fa43400c4fee0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\akgs.exe

Filesize
634KB

MD5
cc82f484ce47665d54c2f854f11bea07

SHA1
9ca6df7f3ec9b1b1751d7f7e358834d60a72c544

SHA256
088f9e48f843f590fbb8d9d270aaf42e426d2eb8cfacb5cf3af838dba3ad144b

SHA512
b7bfa9c1977f7da9eae823c2a2b532c86630ecf8a5e66e7f4cedf4485b04c91dbc434907c1aa9717e0c2200436738fa84a2fb567ba5132e1e5acd993c55090fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogA.exe

Filesize
186KB

MD5
d38d4dd1f38d26b027b71a57d44a0ad2

SHA1
f7739a05683930c10574c3b6d4714358a87f17bc

SHA256
ec362d381c3477c4a220789e0b6f21a8de32fc55a7e1bcb05af655c4ac83bf26

SHA512
08085c9db72dd8a307c1c80ce49e11bab836d92a6b911ba18924cc922ddb3fa3a4153f486e43d7bbe23add31467f50084529419a9f02eece265900e01db4302c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsc.exe

Filesize
803KB

MD5
4ca2baa4ddcfb8073aeeecb3cc9bad13

SHA1
9ff105bd4c3b79a9c446b2a886470d9d14563de9

SHA256
ce21f3701b15717de6c4de93694febc4463c400425ab587fdd953b6bf043dfea

SHA512
caa6eef5a84d42acfb30a8c8ecbf135d93d138c2d13b2e63e45c9c951debd14185246b710bf9458e9d8fb373d59ca5aee06a44ef2a5b62cb2430a51d7eb5194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAMk.exe

Filesize
197KB

MD5
397c1307291511a23e909a590be3b16c

SHA1
ae93012f5f7913c027acfce1f58121b75c8f08c6

SHA256
4a6bbf5c5c0179546b911048565d97019a7e39e329af3e7d9ee44c0d975623b6

SHA512
37416cf246ebea70e9e1fdc6f32c62316515ce32f666f3d9037c7e4bbca0465c156dcf80c2424c0c75acc55773b156e182f8ca21e905702b48fbfd221487deb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEMM.exe

Filesize
5.9MB

MD5
aaae6f01bf16c19a21e1b95c03a39b2d

SHA1
1aee88a9ef28acd787ab7818e23fed9a08a5d184

SHA256
7d7be95d71cf70a56809089f6f8d61f421da7dc28daef6de116919dc1f12f973

SHA512
ec9c803e5156e72c88edd2caa58aacdc72b64b54ac5f227b74a0b06db09f328bef87643dd364bb703d1a6772f8a4707c897c82c23c75fe9c5c34314e3b7f58d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUsq.exe

Filesize
201KB

MD5
9b481b9b1296359ae787ee0bb2112f8f

SHA1
ec464b3089582b57eb0c7b1542ed5296a8ebc06c

SHA256
43dd6c34f8284a31c0873acff03ccb5d2e11bc0e67d40a98de43273a68e398df

SHA512
5ae22dbf4e66cde9077e9f2aa9182f3d861ef94302fc0023f6955ef8786e00e87b97e8b2cc4afcc18f7c627e0fd9e358fcb50294dced349d73be0cf19c961b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsoA.exe

Filesize
218KB

MD5
c14e2fdbfd459c79f02d428db3ccedd4

SHA1
d3bfca7d12496b9bffab0be1a77f72ec6d8c82c0

SHA256
257e5baaa4a998c22ab883385a67cc3def3c0369aa6552b8d27a960c1d4d6813

SHA512
61fd27a2eecdbebc6d091b138374a713a244d52f670579439ff43066bd1aa888a2bf42fbd2bdf5a0f591660cd90a8925b7a8689f28973ef5f97707f2c9e550b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwcq.exe

Filesize
323KB

MD5
b2c42ef86d4f16865494fe0b333be543

SHA1
e0e2d9eccafd87311e4fefb818fe2efe4d3e8a0a

SHA256
bce7a370b7ec839802f668fcbc4451f97d72e474c1b70966c92e8b70f789fffa

SHA512
42ad9fad77b97b4fc4e5940bfa171ce4e0c0666751e048529b9556a08840551268648f272ef501cbfea5040b98a89f76f9b96e68dce5136655268e8d9449e3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekwQ.exe

Filesize
311KB

MD5
f8297bc36287e1347823f72f1ea7fa79

SHA1
228c189d0f0e50ec6ba5148e992f746744f6c816

SHA256
08e67d18809f16c5cec5b1ec77c20a1957a886d9f28a38aee2bee7888352556e

SHA512
874921b6d5e03cf91b20dc3c6634cb25079d58345216506be05f6173752f393051fc871c2b915c881d9caf8b7c300be9376b559ada63a54cfae48e33c88be3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUoe.exe

Filesize
204KB

MD5
0bc70e0fdec594ecf5e38fb52fc1287e

SHA1
209a71713502cf240d7d0f3f988dd04249480f3d

SHA256
dabd417b13b6907bc1f58f50f3cf63841814d1d7b8173bbc6d1d0e205ca1e7ff

SHA512
6227c4bc15f7693a899f46f80774d8fed1349f0c07b84b73ebd42505aae4355e5649dc32e89610a34172f15e7dd49ab5197ee3e197c1978f444edd65887c3d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc6c4d24900b4363f1b0ea5954b831eedac2ecc011164208ac5b7bbb461db40f

Filesize
3KB

MD5
4d8b8c8f1a68a4f320da8294a085f251

SHA1
3f9f7099f963a889bd8bd72237dac63467f3dc43

SHA256
6973a2aae66bbb99f2b57f2ef160182825fa5305444511ca1eca4e1b0b38528b

SHA512
35a65ea0f28542632dbbf42cf8649faf0fa214614614ca9b7dc046a1a80f9ab6b07f7d6956b2a039e3bfb31d272b0ccee213c67ab6277c767eaedfef2f583eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQoQ.exe

Filesize
201KB

MD5
529044e55e0eb8a53c2266f7c11d5afd

SHA1
36bee86654cfa715cec8b3ff72c63a9f7ab070d4

SHA256
3ed91db8c76c486648cc6c157a3287b4e5d5e9c366e2c3abfbbce924445eebd6

SHA512
e7068190634882eba8cd457fc2925e115171218f3bce8d4a54becd4e0b3ecf3c0a7cf1e1b5db3d2fa81902691e65c09129b94fbd06b70c43d731c7296d73564f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUG.exe

Filesize
815KB

MD5
413c6c013a97e0539ddd87041691ce05

SHA1
e930659656e04fab59b961c686e3bd02299e35c9

SHA256
03b7ac019a419fb0b4ad39bda05d0daf866ab7388703fa2fd6eab9c3680d2e92

SHA512
1cdd6f2f23bd90f30fda6d77be475dacd4290b783720b0dee99ec8e57be53c65fc4bd36bbbab809f3a9335577ac9a6e2a15e514ac9fb471216e7b16bd0a4978f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggsu.exe

Filesize
203KB

MD5
93209e95b8dd56f741461004d7a8da64

SHA1
6d450c2176d18a3191ea372951902954772cd7ec

SHA256
96f4cb47a8c3f6453d2c39fbcd21a079da7d78dfe38a708fe33702207e60d495

SHA512
356ed9b4d0cdfc66efdb79f35f633c22fb45ac2b615c0ad840291bb4e1879cd2b456efa2142328ed1320b7a94b2ff106da452e05d4013d333aa0c672b33b5a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAa.exe

Filesize
189KB

MD5
77b98ca6f1d102bac8bcc10d26c7c50f

SHA1
8e01d1cab207bab70c147c7989cd2effe89ee727

SHA256
de9adaa6a8c2cf1411514aa3b123e1696f085cf5b77aa0395a8ce85d7709652a

SHA512
7bb00a1e01e13dc294537be52b66a6ab75029a4d02a0cec7462a35dc5bb00bc9cfe6483b084405fbcdca72a1b092240d8a87ce8ba671fbee19a9e2e978d5bf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcgw.exe

Filesize
199KB

MD5
0a4b47eb24a03224febd71011cc56ae4

SHA1
60fb9c69d79c78d9689d7e9a87ad0173763de7bc

SHA256
96088f222ec4d355cb9ec8c7fe0e24d544b6f041cff92cf496391d4fe15ac740

SHA512
d460e363c5b4e4ae27dbf9f247e4c95bed69762a6b1b508ac5adbb6b467c883b633770fb17ed10100754e8cbec0f9bacb748724aca80865d57048e86b00f8cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoMs.exe

Filesize
206KB

MD5
4112766394f5f359c4e4a6ec414bb9aa

SHA1
ac3c76f5938a8c4476fe314dcc681b71593a6015

SHA256
a0a9dfd8a0afcdb0d78ecd76b210d434594a136cfabfb592cfa685c1bfc4bb04

SHA512
044659b11035f8e2003f144ea2bb951d612020595f471cdc05075b4eedfd3240645c0f10291eddf58c36924a2c7941378866a90437ad96e171fbab38c907cdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwAa.exe

Filesize
261KB

MD5
3f01bc2125b911967402018742557d58

SHA1
c20bd538d7e9d382cd31e5de0e803675b1f15468

SHA256
0ff455af5aa124911c09b6639238046f298bb3328a60e8f5383981527dfd3ee8

SHA512
ae74529246473c08ea60af16cf7311c71b29229607502ace4c62899bea777ca62b831be9ac514ebc185b2d7295ce2f7cdce35c4c93121b90599523d090bc5f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAso.exe

Filesize
980KB

MD5
f520b78dc947fe10756593041d609f65

SHA1
9fc593d62fc4041bfd5a635c1f9caa167c596823

SHA256
f4031d54bdb7da926232ee45034a4981188fd8cbf6bea0c2e64b648f267c32ed

SHA512
358389685e0a19ed286fc663ddca1da6e6f9ebec0fa61e60fc3ac17959160e775143b9429fbb39d86dd8b58c7d31b39ae24bf0f80d36713adbb6541ff508d2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIAm.exe

Filesize
784KB

MD5
d72cace835749f5bd786d05a32e4f851

SHA1
8d7bb91dc99284eb6026c49b41e15934aeb295f6

SHA256
81bf28dee6b87e161dcc4779fbe31db97af77c9772184e3af7ec60ccedd17d6d

SHA512
c7b7890f0e17ebd88a58a62344f52d99ba8fc0f0f19ecbee661c8c695d65dca023bdba05382758d21c8662ae03ea17e8e44053932bae7ebe35134f3801060318

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIe.exe

Filesize
1.6MB

MD5
4bffa1030268015a58ff9a79b2653e1a

SHA1
c0d96e73dc4c21845d356a36d4c927e75868cd95

SHA256
5aa02d81b076e22bff50a3ba3d470c34221b2261f642a6dbf1fe89a7cdec9610

SHA512
d0c031d03455e97d9799d6ee9c2b65d60ec4f2c13b54fbe4ceebba1f8e6a45c51bed39847dc1dd1e18b8f718fcc43331eb8cd04f143df80beb30aab43fac090c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQEG.exe

Filesize
201KB

MD5
b810512e5862e47bb48abcc3b74dd1af

SHA1
7284c97a734368d7a491cbe6feb2a216310a56ee

SHA256
4745be4e071d2caeb90e14a0715717214d37ece597adb8fa3f39b43ad16c4fc2

SHA512
38e28dbacaa6ba62a86ea5d8fa60c5517d8b7cd9528ab3f8a49d026f2e6d0616e444e43fdf90314e21ad966a6f2c5ee7921bd1d7dc77474cf7f9859cfc6b06ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkoQ.exe

Filesize
209KB

MD5
315c472f5b1d12fe0a5e59c50d335500

SHA1
f7b50cea028c65c35b8241e19b3be66f091a6d9f

SHA256
590e8eef7c8970f071063eddccc9345e2b7e8c223c5c3c8e1ab3f35027ea8f06

SHA512
9e6b3b28d8988ba6b2ed94c9c514753cf736c599aebc5c4c81e51e7dedec4ae2a9b4b3512eb12c0a5377f817598c1aeaea703112296fac20d3d23677305029fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUq.exe

Filesize
631KB

MD5
f65802435604391c231eb3546212858e

SHA1
01c7bc0d54d64e3663d528e4b9f3f9a7ee856b20

SHA256
6450ccf57db0a370f6d0ffc6365d0bc4d943a70e4b890d98a7a3bb14c3f411bd

SHA512
274484c97fed909dcf2b029c95980292ec5236f7213a7a57f77b53daa31409eb183cf187ad7c68b68b8647f1a0c074df5561837d18a7a4a195b94d7faa7bc1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kskI.exe

Filesize
428KB

MD5
2b71c0d6cdac9c636a08a88a996db92a

SHA1
203b98eb981a7783106892c790867fdcbfe4e26f

SHA256
f771d34fd0e825dd34b04c69855127d234ffe03a6964585a05c78b9e377e0bc4

SHA512
ecaa7ed52e5a3c25c7bb5bbd9b36ffbe2abaab4e97a88afa51e4720dbd47310ed33a2105c2ef56ff7cc2e0dd6c539204a5af71ba3aada77401c7e0748a911241

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsQc.exe

Filesize
184KB

MD5
19d34ff9c10f34d3a7c11cf5650c4229

SHA1
858841ac2fc57f57c5d6f9ad5a88dbfd9a77df0c

SHA256
ec43002f03d97a37b2aecfa2520b7839221a6e54ad7a0966aac5782007821b5d

SHA512
96058324cef7ca6f36f724b85c947e9c123d58171eb14fd8763e2ab6f3ef9ee25a301f6f1a6dfae5d87f4e158abbf717f15488fc2072ad1b5c1a5b3a2344075e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwG.exe

Filesize
216KB

MD5
25fd458dca1aca6b81ecad8336dbcd9e

SHA1
48a8d96e05123f2cc615e5bd0ddedc38381105ec

SHA256
ad3e08a5a7568f1baf365b0bc8b2cc0cbba9ec7a48c582564cec052d0b7f0806

SHA512
f84a1be8e461480814ba4f9c5b9b1208b590f511958d405e9ad6209d085d1c354a9287d8e629fc71c834110bd35abb3bb182138fe2bbf875cd0f8109027a8346

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMcM.exe

Filesize
236KB

MD5
8308c5e792b486944cb0b5794d634a74

SHA1
f8a7200c05cae77107eb04fab7c7ba36cb4473b7

SHA256
71fbfa610cb64fb6eb39ce8c12ac4a60256fb841730a973c1cf19a31f7c808d6

SHA512
a445243e799564b243d346014dffe72f770281bdcee48c95663351da9259468418f1d858604112603f96bc4e8451bfb23111c201849212219f365be680d117dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwoW.exe

Filesize
186KB

MD5
854382337c0dcfc669adaff0bf284292

SHA1
1c330532abbe4e9018b6f4511b1b596c9ed1834c

SHA256
61ba8876ab7743b1f3f5cc3dfb79a39072be5d422619bc98b9d275a3c92f4d1f

SHA512
b74842706db8c656bc4bdfb0605d4da49d347d943821b5d8b9dab0aede994375b1c8a5e496d9ae7e06bb60b87371439207c9fa6061768a73bf2aab93ce9e8e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngko.exe

Filesize
641KB

MD5
902fd171aab70e065e2a2a5c138bc2c6

SHA1
e3627d0c3e3c68cbf07f97006d0d90c0abb870eb

SHA256
26511fce8f4377e5574059586a55d463fe938d9df4ed2b5cf43209028b53b562

SHA512
8efebf2186ebb9a7ddccf2debb542c2fde194d982dc6634257a204bc0dd73cede365d854505ce5c86c37c9fa402b2fbcf24bddec65678e875db0ed36ee429f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUMc.exe

Filesize
196KB

MD5
4cc47e1ea881bea61f28aad7fc0bc67b

SHA1
197b24671cbed1a3a00278b3aa66d55056de75ca

SHA256
dbd131af4b42578335b95d476ecd1399618ba28a1e3d4a328d4409acb4cda515

SHA512
06011a4ee936e1d538c44b887459c646dd9b530da46e1168bdc689c0d446c13f4ca3e3233b4c5c3138e4c360de9ad37bbada059d83128796942fc3869f977bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEMg.exe

Filesize
217KB

MD5
2d79bb20e8c14e9b34e72143130e8649

SHA1
660de59e2412ebbf63b16e87e0a92aa92b56514b

SHA256
efcb7f98c28b68ffe1cd65bf8ca9e8861ddd25f7269c925bc1a2269472e8f7ee

SHA512
31483fdc17cb51affaffcc35b4cb63b7112a1ea1de95b4dc62c52b2945c658dd9623b102dad19017e4f5a52d14ba29b7e473676cc16042acd9afe35de0c8a69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMUw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQu.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIAw.exe

Filesize
181KB

MD5
e99fa2da277da2ce4768ae03fb9bd8f5

SHA1
efa1b290a91675d60285c63e0f80c96bb4f2b937

SHA256
6392909cd0789830999b47eaa1f62a9abdbff5e606fe2fb109d7b3e6fb9563de

SHA512
0ca782fec7aa29bf3c19b6049e6c2d2769ee34bf1480a06ebdb00d1502b07a6bb053a83b6437ae74065cf2970b99fb5969bb81989906a0b560660048fa64c089

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUIU.exe

Filesize
213KB

MD5
fc319b22e06ec8a2ae2862bc9e613557

SHA1
0344501611699e5cdd1ab333be41d2fd6d2e0577

SHA256
fd0ffcc56d315478b54acb947aacbc89345ec52f8330485efed0bcef428ea00e

SHA512
47eb78d6e8ee1285dab678a4570cb6e884b66533ecd05fda6695d7b9391f69715183586239e988b17e21fd44e53a310716c629cf5fbd0b12b11317e2dd067732

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgc.exe

Filesize
1016KB

MD5
e63fe688d6fb854bb5af264b36639c2b

SHA1
9f801091ec4133317701b5d173bf519012022960

SHA256
c48b1a4b9e4ac1a35ed299401a27d7453315fd5c9d762b3e21fd4e2ac1c848cb

SHA512
3da9ca39623f409f0513768d1a0057c5a5d22bdc251e3da2d882c0e8ac7de520b9681f737704bac03a6b509402cb4c3569cb1f5aab6b7a68399263d3c780a4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEUy.exe

Filesize
226KB

MD5
2459b580ebae3b4f5ca0144a0832a192

SHA1
510baadbeec22de1a6d1ad75f015e127cf921d8f

SHA256
ead6284ee6d7e31c76c8a6141f92210e44f7356fafbf11419f910ce2afecffed

SHA512
32d36f948940adee0bf0a9b89db22380b96656612f72c689a93357fa63d9c124bf05026f11e56ee8578e16b6fe9752a4c23de54262a0fbf8ce5157e117540c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsUU.exe

Filesize
207KB

MD5
8f7babe09a229e01317e230ad5dd1034

SHA1
54666b34cbfa818fa542468f2765fec11fc1b76c

SHA256
24d3c4f5c4129609c1bb81674a9d1f7344ab3afa715ff29c26c5d65ab37b70ac

SHA512
3680b902dfbe7f5de12a24fc7c667d08165bca57fb4ffc65c695f125de75eaf4365daefa31f36231dd78c05a942f5fcb9a1b6c43dbcf7ebc9f39042b9012be17

Download Submit
C:\Users\Admin\AppData\Local\Temp\twAk.exe

Filesize
1.8MB

MD5
d403f8809c16aa037866d2c49c22fae5

SHA1
70b69af889494002e36534acbe189a6e43643d40

SHA256
37ad3d2808474deddb448bf6993d3852bb1c9eacd1c74c555467275aaed43b8c

SHA512
095ea4856b59e8d266bbd598f0697af870f422d081d795868f3ec492720b3ff5dad12d91113121bcccac82e405146b414e4723c40cf2e78cd6f8d948dbef71dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukAQ.exe

Filesize
1.2MB

MD5
ba58f358a63e8a770ed131db0a46c90e

SHA1
53684e01b46fee27495ca7f3fc418dc5a981c7ed

SHA256
84d5ad3590337c25e90e531c4b87c56ff16447850aa9bfcc63f9f5ad82f33912

SHA512
4bbb27d5613c3dc08f6bb6c5257557d04424c3ea4b9bcc31821fbaa67254179fd7d58cc3195a766cc1dcc192ab8d37b69ab5e517a28d7353bf1c4a1ba0a9e0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukQs.exe

Filesize
209KB

MD5
2cdc9139cbb3c9649fa2ebc153e0857b

SHA1
746ce18205ff94f8a7e555b0ae6bb48245dda06a

SHA256
0c1c1cc8d85ab16966edcbc3e226cd44eced59b04aa5d9a5ed504b7110d46b57

SHA512
46c1707da9aa10acf6955858637cac1f4436d3931a17b30109dadb108bd59b9319c42871e2fc9b048f793e8b675461831feb827c24857486fd5465c0faebe89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcwK.exe

Filesize
196KB

MD5
198249d44314f78012693cb9d9bef309

SHA1
96ac5d448f52c244738bd487ad177bccb737d7f6

SHA256
afe76f5e9f3240a6ed9f8de8515cc8714684a7c902fce5e788b8c0821ae3b2e9

SHA512
612a41d1c9e665ec23d967c3d8c4e0199cf230e81c14d39c6669c0b7e4911b95fb33ea04e464bb5873581458b80d89cd757d2d433d8381c5671d0dc2944c4983

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEAC.exe

Filesize
188KB

MD5
091308d5f27a6114728c1916e036ee60

SHA1
f8466b5027fa5be56b8da60074434fead712e358

SHA256
d9242fab4a96548a89e20b70e4e86e1983191b286ef6e7e3b1638f88735809eb

SHA512
f6f8dd11416868474137e9502247eb2f9631c9b5a8fe756cc4781a56dad318bb6e52043d92abe075aa74f9e3b7f7fdae0cf5ea1e63e72934f316c5ffa6293100

Download Submit
C:\Users\Admin\AppData\Local\Temp\woAi.exe

Filesize
186KB

MD5
622b5382de36e40d04bf9cdc7816b92b

SHA1
56dc56af3fa8669aae5405251028dab79226030b

SHA256
781e2703753cb892cfd48ef140e0d9b4b2b7e647b35ca18ef6fe9abcc1ae294d

SHA512
278add582c6b90ec429ae6dfbc13896e8631f047fe2edb51a39273bc57f4ffd2a35c22af2669514381fc5fb9a80aaaf99543d5c964e2b3d430371adf9db6423e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcUg.exe

Filesize
187KB

MD5
0acefeb3fde8fd4d75a4968ba8d8bb4e

SHA1
99dda7b66770cae4818c2aadb3465bcdd3c1a860

SHA256
5a36b52019cc1aa2c526aecdbd6fe6f0db881851509ee81b187166b77b54de1c

SHA512
8c7669c5dbc68a152df4fc5c4aa50cff8544a3725b7ef699d0e4777520dad45ca963e09a0e05c106c80eceecc6b289cd1424126149322b2de28a79b428112348

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwUa.exe

Filesize
186KB

MD5
95e128adbde66160a10d211f80483b88

SHA1
9e831d0bf154ae4812f39968c3c6c5d9efe214f3

SHA256
38452777ff0a089f6bcae703b2f9a98d264522519cf6671b1520c4b313288796

SHA512
267caff6435436cb5f3e164feccf15a21c3cfffb893b524f8ccaefb8f810b4d945e78d9f75bf0e3274f4d524fba94c710b3ecbcdf3a11b50cc9bcfa6c9c1db0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAs.exe

Filesize
190KB

MD5
973bef567743d0ae477cdc4483c7385e

SHA1
1bef7540166f9dd83b15cfa03dfc112a91f2bb04

SHA256
bb71526203f8e8ed5e9ebb0469c3414695939878af313930149a9cdcac80a9c8

SHA512
696de125a5bb529cd18ed27d394c72bfc9ee62edb32931ff5597bdb2b75422a397258d816cc31eefb2df38c5b6191a2dcda514478d6561287d9dccfe590c09a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUAW.exe

Filesize
200KB

MD5
63915eec1e1bac11f893793214bf1097

SHA1
606d37fb8d0d303d1877e2e5fc4a197bf5659728

SHA256
e060fb3273d41b0677ddf96077e04662dba17ab421c7ddb8cc097462e4749fe5

SHA512
73b625cd3e9453a1c7e70ac9a50e7bee83041ac756ba48ccf6227837718722e6d83397abc92bb71ed146ad4b409ce4c3f6fc4ecf9e7f3a3341a65ce210d8fef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUMK.exe

Filesize
209KB

MD5
324f6010fdf9c93112cd5e2d8d89f2ca

SHA1
8b940a6ec103631950698df9f1663b4ab2df8b5f

SHA256
8246c8979f22fa48b291ed4df8f2a7ddac23edd6b1182ddbb779b3c27b8b61e2

SHA512
27796d71a078caaad6aa13bca764cbc651ff1e98a0ab4dc46d5333349ad0dd26edd91681195ce9c18f0c9bd92d42aa0d9329c9118c0d5793b5386acb45b35cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcMC.exe

Filesize
195KB

MD5
f2e90d74222708b9ada3f6cd4b1c89dd

SHA1
874ebc8e670e62d2298cb09d98c19dc9d2b8b061

SHA256
3b90897da6b671c1df4aec24d08ce32baddd0b4127784a0494d20796121892af

SHA512
9e24ef64aea83db7791558d68646fcc6d4244732bb9e5c1f63010ca9f4d4a0dd0761b8c781bcf7c18ccc839f021218fc3116087824f7f21ca4d53e85deeb8c1e

Download Submit
C:\Users\Admin\wugooQYc\yWQUUIMo.exe

Filesize
192KB

MD5
782b013766ff7cecf28c8a71384b1c80

SHA1
30c55675408bfa85ef625006ae832a4fed8a607d

SHA256
035f2509595a5d7bf01c6a89dc960e05b2c747e46b57009a22db44938981476e

SHA512
7e940df3ad91a381185ee15acdb361f72169e7a7233e11a2078c7efcf627e06beb454d00ae86304792e9ecdf1d5de3321e22d2a1f8312fe0d6bf8dde2e82cd08

Download Submit
C:\Users\Admin\wugooQYc\yWQUUIMo.inf

Filesize
4B

MD5
ee766b01108ca827d12019cab8e5186b

SHA1
b03c277d42a938c755ff5096184f66f1545c6c35

SHA256
a1c4eec9641fed1cf42073c2f3638149dae905148033765b03192fe0b58fe31d

SHA512
9b3121359172bb7cd8d2a03490658ed5e62fc8dfe3f46099d8123fe1027eb7e76aa787ee5f751536d39005d326940b298603f3b8cc9892cea3179ce4c0603884

Download Submit
memory/212-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-964-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-1028-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-616-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-641-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-652-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-771-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-662-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-669-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-845-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-642-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-632-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-824-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-1030-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-660-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-633-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-612-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-624-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-948-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-907-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-911-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-860-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download