3d5d775ae8524bdfe810fc41b44f3d40a89ee32a06985c38eeb2e4f35670c5b6

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 04:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Size

208KB
MD5

e8e50f8e8c3f7e7ec8a40eba7414b7ab
SHA1

69fd0c614bcd2616cddb7d8c98dd50aa82f744ae
SHA256

a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
SHA512

6f8309c5de3b6f031587808c0c8bd9ae582fda9882edf4c50bd366b34b5359b625604f07ac9e67e0e7c4ecaa5158fe6e869faa81282d14db7953f178e661bfe9
SSDEEP

6144:nKgKrD7EJBNn4uQkKNLjnWYIKbkqu9aSN:nHi8BNn4uTKNPWYI1uk

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	aokMkgUA.exe

Executes dropped EXE 2 IoCs

pid	Process
4368	aokMkgUA.exe
4468	taoAUcgo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aokMkgUA.exe = "C:\\Users\\Admin\\AeYgUsAw\\aokMkgUA.exe"	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taoAUcgo.exe = "C:\\ProgramData\\nOIcEwgY\\taoAUcgo.exe"	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aokMkgUA.exe = "C:\\Users\\Admin\\AeYgUsAw\\aokMkgUA.exe"	aokMkgUA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taoAUcgo.exe = "C:\\ProgramData\\nOIcEwgY\\taoAUcgo.exe"	taoAUcgo.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	aokMkgUA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
608	Process not Found
2904	reg.exe
3572	reg.exe
364	reg.exe
968	reg.exe
4012	Process not Found
3136	reg.exe
3424	reg.exe
3752	reg.exe
4908	reg.exe
1132	Process not Found
4604	Process not Found
2132	reg.exe
5036	reg.exe
1188	reg.exe
4116	reg.exe
704	reg.exe
3364	reg.exe
3540	reg.exe
3448	reg.exe
2256	reg.exe
628	reg.exe
1300	reg.exe
1412	reg.exe
4460	reg.exe
2420	reg.exe
5052	reg.exe
3500	Process not Found
3276	Process not Found
400	reg.exe
2672	Process not Found
692	Process not Found
544	Process not Found
2524	reg.exe
3084	reg.exe
852	reg.exe
4272	reg.exe
5088	Process not Found
1132	reg.exe
4456	reg.exe
4308	reg.exe
4888	reg.exe
4688	Process not Found
4780	Process not Found
5052	reg.exe
1880	reg.exe
2036	reg.exe
372	reg.exe
3608	reg.exe
1104	reg.exe
3532	reg.exe
4224	reg.exe
2972	reg.exe
1696	reg.exe
2900	reg.exe
4868	reg.exe
3136	reg.exe
2908	reg.exe
1532	Process not Found
1316	reg.exe
3008	reg.exe
704	reg.exe
1652	reg.exe
3688	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4548	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4548	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4548	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4548	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3768	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3768	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3768	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3768	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
2984	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
2984	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
2984	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
2984	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5052	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5052	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5052	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
5052	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
832	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
832	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
832	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
832	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4172	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4172	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4172	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4172	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3508	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3508	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3508	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3508	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
460	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
460	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
460	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
460	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3112	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3112	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3112	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
3112	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4340	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4340	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4340	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4340	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
1660	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
1660	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
1660	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
1660	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4996	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4996	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4996	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4996	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4472	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4472	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4472	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
4472	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4368	aokMkgUA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe
4368	aokMkgUA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4368	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	85
PID 4488 wrote to memory of 4368	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	85
PID 4488 wrote to memory of 4368	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	85
PID 4488 wrote to memory of 4468	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	86
PID 4488 wrote to memory of 4468	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	86
PID 4488 wrote to memory of 4468	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	86
PID 4488 wrote to memory of 2284	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	87
PID 4488 wrote to memory of 2284	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	87
PID 4488 wrote to memory of 2284	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	87
PID 2284 wrote to memory of 704	2284	cmd.exe	90
PID 2284 wrote to memory of 704	2284	cmd.exe	90
PID 2284 wrote to memory of 704	2284	cmd.exe	90
PID 4488 wrote to memory of 3016	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	91
PID 4488 wrote to memory of 3016	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	91
PID 4488 wrote to memory of 3016	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	91
PID 4488 wrote to memory of 2904	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	92
PID 4488 wrote to memory of 2904	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	92
PID 4488 wrote to memory of 2904	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	92
PID 4488 wrote to memory of 3976	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	93
PID 4488 wrote to memory of 3976	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	93
PID 4488 wrote to memory of 3976	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	93
PID 4488 wrote to memory of 4600	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	94
PID 4488 wrote to memory of 4600	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	94
PID 4488 wrote to memory of 4600	4488	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	94
PID 4600 wrote to memory of 3880	4600	cmd.exe	99
PID 4600 wrote to memory of 3880	4600	cmd.exe	99
PID 4600 wrote to memory of 3880	4600	cmd.exe	99
PID 704 wrote to memory of 3884	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	100
PID 704 wrote to memory of 3884	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	100
PID 704 wrote to memory of 3884	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	100
PID 3884 wrote to memory of 5000	3884	cmd.exe	102
PID 3884 wrote to memory of 5000	3884	cmd.exe	102
PID 3884 wrote to memory of 5000	3884	cmd.exe	102
PID 704 wrote to memory of 4296	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	103
PID 704 wrote to memory of 4296	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	103
PID 704 wrote to memory of 4296	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	103
PID 704 wrote to memory of 2916	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	104
PID 704 wrote to memory of 2916	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	104
PID 704 wrote to memory of 2916	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	104
PID 704 wrote to memory of 4476	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	105
PID 704 wrote to memory of 4476	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	105
PID 704 wrote to memory of 4476	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	105
PID 704 wrote to memory of 3752	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	106
PID 704 wrote to memory of 3752	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	106
PID 704 wrote to memory of 3752	704	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	106
PID 3752 wrote to memory of 4036	3752	cmd.exe	111
PID 3752 wrote to memory of 4036	3752	cmd.exe	111
PID 3752 wrote to memory of 4036	3752	cmd.exe	111
PID 5000 wrote to memory of 1516	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	112
PID 5000 wrote to memory of 1516	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	112
PID 5000 wrote to memory of 1516	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	112
PID 5000 wrote to memory of 2320	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	114
PID 5000 wrote to memory of 2320	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	114
PID 5000 wrote to memory of 2320	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	114
PID 5000 wrote to memory of 3932	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	115
PID 5000 wrote to memory of 3932	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	115
PID 5000 wrote to memory of 3932	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	115
PID 5000 wrote to memory of 1372	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	116
PID 5000 wrote to memory of 1372	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	116
PID 5000 wrote to memory of 1372	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	116
PID 5000 wrote to memory of 216	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	117
PID 5000 wrote to memory of 216	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	117
PID 5000 wrote to memory of 216	5000	a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe	117
PID 1516 wrote to memory of 4548	1516	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
"C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AeYgUsAw\aokMkgUA.exe
  "C:\Users\Admin\AeYgUsAw\aokMkgUA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4368
- C:\ProgramData\nOIcEwgY\taoAUcgo.exe
  "C:\ProgramData\nOIcEwgY\taoAUcgo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
    C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        8⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        10⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        12⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        14⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        16⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        18⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        20⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        22⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        24⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        26⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        28⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        30⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        32⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        33⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        34⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        35⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        36⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        37⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        38⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        39⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        40⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        41⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        42⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        43⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        44⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        45⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        46⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        47⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        48⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        49⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        50⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        51⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        52⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        53⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        54⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        55⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        56⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        57⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        58⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        59⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        60⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        61⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        62⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        63⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        64⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        65⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        66⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        67⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        68⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        69⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        70⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        71⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        72⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        73⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        74⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        75⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        76⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        77⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        78⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        79⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        80⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        81⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        82⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        83⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        84⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        85⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        86⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        87⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        88⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        89⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        90⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        91⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        92⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        93⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        94⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        95⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        97⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        98⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        99⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        100⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        101⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        102⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        103⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        104⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        105⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        106⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        107⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        108⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        109⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        110⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        111⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        112⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        113⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        114⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        115⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        117⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        118⤵
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        119⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        121⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        122⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        123⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        124⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        125⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        126⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        127⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        128⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        129⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        130⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        131⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        132⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        133⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        134⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        135⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        136⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        137⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        138⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        139⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        140⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        141⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        142⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        143⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        144⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        145⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        147⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        148⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        149⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        150⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        151⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        152⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        153⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        154⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        155⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        156⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        157⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        158⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        159⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        160⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        161⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        162⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        163⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        164⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        165⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        166⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        167⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        168⤵
        
        PID:2068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        170⤵
        
        PID:832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        171⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        172⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        173⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        174⤵
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        175⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        176⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        177⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        178⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        179⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        180⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        181⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        182⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        183⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        184⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        185⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        187⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        188⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        189⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        190⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        191⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        192⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        193⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        194⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        196⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        197⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        198⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        199⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        200⤵
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        201⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        202⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        203⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        204⤵
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        205⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        207⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        208⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        209⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        210⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        211⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        212⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        215⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        216⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        217⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        218⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        219⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        220⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        221⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        222⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        223⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        224⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        226⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        227⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        228⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        229⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        230⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        231⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        232⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        233⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        234⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        235⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        236⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        237⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        238⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        239⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        240⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        241⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        242⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        243⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        244⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        245⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        246⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        248⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        249⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        250⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        251⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        252⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        253⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        254⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        255⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        257⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        258⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        259⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        260⤵
        
        PID:1532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        261⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        262⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        263⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        264⤵
        
        PID:4296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0
        265⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0"
        266⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaEoscEQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        264⤵
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAMkokIQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        262⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peEAMEEk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        260⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSswAUsY.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        258⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcUoEgEg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        256⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqEMIoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        254⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsQgwMUU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        252⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fasQwYUs.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        250⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmUcggws.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        248⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmskswAE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        246⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmswAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        244⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYYMoAwU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        242⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAYQkgk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        240⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMsoscME.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        238⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies registry key
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuwEIgIw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        236⤵
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAUYkoIc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        234⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwMksAIY.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        232⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuEIgwww.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        230⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCUowUQg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        228⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmIAUgUI.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        226⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKwIYMUw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        224⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMAUYoAg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        222⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\takIEAsM.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        220⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWwUsYQo.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        218⤵
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAwkYowg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        216⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcYsAME.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaEkAUcc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        212⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lucUwsQw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        210⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NakQQQUg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        208⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOoMIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        206⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCssAssk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        204⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMcocwEw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        202⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYQQwYUU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        200⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        Modifies registry key
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsQQoEMU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        198⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUgQcswc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        196⤵
        
        PID:788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYIgQEww.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkgcYAEY.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmwYMcIk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        190⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCEcgAUk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        188⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygEwUsU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        186⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeEcgoIU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        184⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOIgkowA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        182⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEEEYgMU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        180⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeAQkYwo.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        178⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgcAMAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        176⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcEoUIUw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        174⤵
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQokgMoI.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        172⤵
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAcQYwQA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        170⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewAogEYE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        168⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQgUUkMU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        166⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fusgEAYo.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        164⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DucQEoQE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        162⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmIQwUIc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        160⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cykggQwg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        158⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWgAgYoA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        156⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSoYgYgA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        154⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hocwcokg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        152⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\towEIAks.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        150⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwIIUwEM.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        148⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KekcoAUo.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        146⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWMEMogA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        144⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqQEgkgk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        142⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMscsscc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        140⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEogQQQE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        138⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIsAgwko.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        136⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSEkAwMI.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        134⤵
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmwAQUcM.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egMAwIkU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        130⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\augMUgsU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        128⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwwEcgcE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        126⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heQwcsMw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        124⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAsAMkMg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        122⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcEUsQAU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        120⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcwIEUcs.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        118⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYoAkIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        116⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGwsoQIc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        114⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCsIoMIA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        112⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSMAcAAk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        110⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWIEUAwY.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgwYEAEs.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        106⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQoUossM.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        104⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuQEYEoc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        102⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sygUEEYY.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        100⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aacQgcQk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        98⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQIUMkEE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        96⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoYgwUgA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        94⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKkwYAUw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        92⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYkoksMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        90⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyEIsMMA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        88⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKwsMwUE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        86⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siYkEYgU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        84⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKEUEckw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        82⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKQQMIwg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        80⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCYEgIoU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        78⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqoEswIk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        76⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LioMoUEw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        74⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TikosQos.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        72⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaYgYcgM.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUksEEIc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        68⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEkscIcc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diAQQwsE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        64⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcEQoUMg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        62⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOkEEwMU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAokoIME.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        58⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWkggskg.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        56⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmgAgYgs.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        54⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saEsMIUE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        52⤵
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmUkoQks.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        50⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joUkEIQk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        48⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKIkAUss.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        46⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwkgQcUs.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        44⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaUQcQsA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        42⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcYsgcoE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        40⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWwcgoME.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        38⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAocIMYk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        36⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:1132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEQQYUA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        34⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUksYUcE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        32⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCoAcUQI.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        30⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikgcYEYA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        28⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKwIwUEE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        26⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOwIscYQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        24⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYwcEMEA.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        22⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgAgYIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        20⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmsQUMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        18⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEwsIAcs.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        16⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSUgMIQU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        14⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKkYcYwU.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        12⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkIMoIQw.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        10⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCgYQMwE.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        8⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1976
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3932
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PukUQwYk.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REsMcAEc.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2904
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOQkUUoM.bat" "C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4456

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv I0K3p3WN7U+l0VV1jNUkuQ.0.2
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
330KB

MD5
8b728c086735581a223167f138b6ea91

SHA1
237ce774a54d78413be6d901b3d6246505f5b15f

SHA256
d7534f15690717feb52e15826e6b617678b0091511a8037a9409bf241b7840d9

SHA512
5021552744ecb2717fb363cf85de62a286358bd01bcdd09d66115cea6183b91771bcd4b6a456e2158c9f38ebd14b91cc7a3e694022eda031769c5e263931c119

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
317KB

MD5
afaf11812916dd0c609abd0548e7eb3a

SHA1
c185d1581fd1cd1589d100c64b56aa3559f9c25f

SHA256
3be2d16409e295353a46e97c501484c01f6e77adeea8248b0b89bd76cfbc283d

SHA512
fc91b139fe8f0df1caf10d9f76a960b0a8ae5f2577a483bca72963284fe3d6f75d4ae97932702bcd1f981dac1b41e900981de11c2e7008aceffa5b9627e6acbd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
246KB

MD5
5fd693ccd28073ab393a78ab4df3ca99

SHA1
d8f31b0291c3f0f02c687a810dcb499b97b6057d

SHA256
b0e0b905a00cd3171677a3b38c5f379b06c6ed53982ae7cddd11aae72160fff2

SHA512
51ec2c116ccb4b7da93483203ecc0df3a0dd228f82b4a3d26db5cfc36ffeeb77a6aec1ddf24bef716e10ed281a03a0fbc5f75c95c7857d08d66b7b9a6de924f4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
188KB

MD5
4bc4da1f81cd35a05c4d6e3457e3a686

SHA1
23d32f63abd7180fe7722a638bfda0a3acd2ac81

SHA256
2e3cff277dd5dcd704629e65b933590c0f7de83f41e42633e44a6f346291c210

SHA512
71c31439c4831ef3063fa274d92b7f77e73387c59e5640a1e34bcebb7f838f0086ec843478bfa69715e0bdf7d4303e830b4171d0d32fa76900806dd905276b71

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
640KB

MD5
8dc60c2119eecd0095b3e13b9d93e5fd

SHA1
039cbc976e595c6b2dcdf9258fd3f579ac7b690b

SHA256
b9eaa36fbf7cf4eae540e6eb5e65753c37bb0a34e8ca791d4556da8e7932983c

SHA512
a2167938ee6406e1046b5a239f7882c7bca66b42cb2a9d01df0095e4ca7d0b1ec1b1a88380a6e7a51c62ad3c0826d788cea83a4c77c2bfdaed1f8d4fe282e672

Download Submit
C:\ProgramData\nOIcEwgY\taoAUcgo.exe

Filesize
189KB

MD5
b68a403e2295ec134bc699a8b22674d1

SHA1
c3de5a269f4d19ace6e1a11cb8dc153eb3ad412f

SHA256
f678c27bfbf9a71de6aec5130c11c0450f60c1593632e91ad25e6452cef21b15

SHA512
f77fbd80af68944643c2bc19bcbf7c89d5eba52b3996b914c3be1c93c031caa693cd8d93dfd5a15d68ff167d3f6448483729af9a55d03bd77a4131aff03e1ee6

Download Submit
C:\ProgramData\nOIcEwgY\taoAUcgo.inf

Filesize
4B

MD5
445aa62a9c32e857a2b237942a838871

SHA1
b4021dd27432e852f8a1728dfad76a5f051798ef

SHA256
3ded821f7ab68c5aa3ee5344a97e504eaf2cce58dedf6205645e744219f71c18

SHA512
3ff54ccfe3ebd88b93f59a06d8d80b0362888f665d1d7d61bb0ddbc6fbdfddc2679bd2aa0ef98673d3a23522554583a6adb36d0a41128f192a4176b5c88755bb

Download Submit
C:\Users\Admin\AeYgUsAw\aokMkgUA.exe

Filesize
186KB

MD5
4ad331b32635ad75e8aed7ac39de491d

SHA1
0c090a39b8e76fa163f6313a322a7039c29415df

SHA256
ee3434c2d772907fc439a9c07673c53ef2805e7ee8bf6f4fe9a06d1aaacb5423

SHA512
373d43c5600d40dab3faef952879f61be0279420fabbcc98b03022f77fb7a1bc98215d1497c765eae30b050f3bc415e315dfb51400a4c3f878aa1ddc37cdd5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
188KB

MD5
a79bbf53ba94c255d4c199343894ea08

SHA1
606fd428a56ef128fa72d341446a05a0ef62e4cb

SHA256
5d7f1e405c8e7720249d2b730bb15bdea72c42373b56cca1fae7a5f325513979

SHA512
e38ccd823da235312407d024674a90032502fbc724e3cb5c02550f81c174f39283716b702af226c990fdaa5ec8059b84b3865835e56c0ea50c29539b65ad3d42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
207KB

MD5
4e30e847fcf4709367554af9015fa4dd

SHA1
42138b0b3c95d143e14a072b8cb36718e1105199

SHA256
864665dca03dd03acec51b96c3701fc153231367a25c980c3dee7ab954d56ef5

SHA512
c86b2ccf52b350b240489f497fcf172a03d20c7a586eae80031d733b03df593c0a41930545bca4a5d5a99fb04691461a4684dcf462d5126328aa4a52d92673a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
207KB

MD5
29c5539c7550952ae17ebc97b68a81c2

SHA1
7811c7362938cb7b6d0bc8a393afb0a727ba41b7

SHA256
41e5fff8b084615ca42bd7b38ba7c1bc3384151183976769c6441992de70d8f0

SHA512
110447349c07b07c9051a02c71f2da2a6313b307acf88ccc361c73d54b3ed20a560c73dc28d14ee1f80726d757ad810c345ef743e07764182174b03457cd88a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
199KB

MD5
0b2cfe3082df62f8c82fd30b250a2542

SHA1
fb92d133705754bb514900cd8ec9257f96e645bf

SHA256
dacc6eacb963683a4d3f848999d7acf4b56265d3d80311f676ba34fffe6c86fb

SHA512
88a645c37335a4787fd2df81ff47aec10b497109f1d03aacf7e22069c0f7d79bfed2067bd6b4c4c5c4d7a04ad91a202b3bea28e009b06f324e9b5fcabd751595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
198KB

MD5
a3460c40c8d2fc3bbdcc8ced2141796f

SHA1
ad16477839be64b40d9f88302e5aa20d82478d01

SHA256
50bf8d2e08ac76022fd0c7b269a8a5a0d36f39b0b8c4f27e5273728d3fe60826

SHA512
276595410608225710bb34dece8e980d0a371a7c59034097411c365b2df245e7c024c07957d1a648f6f793dff94f98a5ba6f99f845cdcf59e977ae3d84ffe7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
186KB

MD5
9330a1d23757533cdf58e252b8e0c03f

SHA1
3aa5e4b4e572cc7bdf927748b53e5021c6a240ce

SHA256
8e42bef1201df1ad6956b55835ac422018ae5ff02f2d883cfc81ebfc4e8a883a

SHA512
6084d54fe8d9568c1d7ce011b9499311ab8a715ffed4275d144a6dfeedb4496dc355d110f5632650635966e3ea37c01ae9c730032b1ed2aa130aa04ea206b3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMso.exe

Filesize
200KB

MD5
3e175360e3da549681b003485f6925d2

SHA1
fcc2d954a9bf533d2dc200bf8aff71d923ab0308

SHA256
68818bb71e7c22fce7e35b43c3fe01c01c84c1cb3566e7972a30535c4e5d1dbb

SHA512
06cdc6f990de174ac8fa1915f54328cf227fe5966d6dd9dc8c5813605241539bfe7719dfea6841de1d87eaa7f28ebd5c29e6acef2fe53667d41b737739cd1550

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAwU.exe

Filesize
537KB

MD5
a0fcf5833fb355c66a3f0c415c659929

SHA1
0dab1e4fbbf744debe3b48949c5a531a33dfb3fc

SHA256
e16316bf5be15628a65a52252522eceeb718722f60fbae90d8265bd78caae124

SHA512
8721ef79664e4ce78026c1b0d08f26d3b17539de9def42907b9f319f4bd17cf76854d4fa41b943959a8d44ed045916bac9d6201b7bdbe366710b1b2619d2263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcYa.exe

Filesize
208KB

MD5
76269dbdf9e417c852681e84234840d0

SHA1
003d714ca951adc587247ae6d73df926fb3adad9

SHA256
be0fad6ef75e4022cb6944ca077a87bd7c311833191ccc0ed4941a86ff9e71dc

SHA512
3a33f9cccbbccc7299158bd7a8d24710ae92713ae7144fa0842bd1287b8f46e8ef874ac7c350f6e369f42154502f75d7b76068dd2832e6293b602bcad1334736

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcwA.exe

Filesize
1.8MB

MD5
990aa1416bd6ae5f6661b45896930389

SHA1
8c13da7cd670b80b41875429d5af9529eabf9a94

SHA256
7fd0753c5feebbe96e795b2b77c698db15f65debf2e9c2f2c2c7ce28df462ef5

SHA512
3ddeed77adaee532bc9c991b2c631ed441e931a4cb5d8695f3a083a0ceef8277962f518392ee02cb29e935c38f73f007c17c639925fd84a18096e3a3b8e26213

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYg.exe

Filesize
211KB

MD5
7585182d291f9877db7f6c60198a56d5

SHA1
600716b1e39161660010180a90c4433cc47d7201

SHA256
e0b1bf9f428d4186a8bfe93fe90385923340a2e205290b95fd922efe305c4028

SHA512
dae2cae22432c4d004b5e7050b8c02a675a0abc2a19308202dd68f214d2d7f09b470fb931f3ed0f76d5ab606bb9bccab63857cf0d623777d864888bde521fc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQw.exe

Filesize
182KB

MD5
de7f759a729adf8a9e8a5c1904dd7796

SHA1
a7916b2b3dbb5ff90e101e2e0742c03f30d7efc5

SHA256
fbf96498cec936f720f249d323dd8fbe47d055b378d7905afabc403d8d4b3189

SHA512
f0c7a4d821f647970f99d394db63fab23f9a43a0d3671668c0ea3f018673183d06064daa83152e6b8cfa61f1cfe4e358068d3f24295b123d06ad72eb3453f283

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYAm.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoMO.exe

Filesize
1.1MB

MD5
86669d2182a9a545217affe9230b2827

SHA1
acf7c2f8f069055fe05f4f42bff87e78e277091d

SHA256
0cb8e0e2c4155f4f0de858c7b48d71a7b5759f0e15928bc6b0c8a35b201d4056

SHA512
73366db1813e5fe168e76f7a48bb4ddbc42d7ae26a5a36f48284961a0c3cfc18ae530df4a4573353397e9381f932f265fe4d3ad7830ceddfb21540228d9423bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIY.exe

Filesize
635KB

MD5
0ccd6ea7a617b0c2153896e86e8cd95a

SHA1
97e4eaf123e68483f33c7a199b9745f6f12db49c

SHA256
7d59b81b85e7fcf31edd0529a258c7a82195f39821de91558657bed246cdf494

SHA512
251eaaadf991c0106fb3680e269217a6333f17792caea1df349142371ed1b0864d1f1291d627f8bada5ea2cd284b83eae6ec7d14d47d08d3a49ecc2486624f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQIy.exe

Filesize
648KB

MD5
046b05632c337d817dcb630b2ffd8acc

SHA1
cf93e4ecf788c0b77a2381f1a2a8d4dc4d0386e4

SHA256
3e2c348796ebf1fb86cc7a029a802538ce3a75b9eef075818ce36bc428781bdd

SHA512
5c749fa733a301100b95fd515d1784ae61bb0dafd30bb7e37ce58f84878388100ad3441f456a8306de6295e6d582842d4cd38b0a9167cddeca27f8c6473e46fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUoS.exe

Filesize
828KB

MD5
d89f2f1dfae04ad901dd6afe3ec13ce5

SHA1
75cfb17ae05fcd288b9a5207aa8b6ee5590501ba

SHA256
21bd109af45f9417cabf81ffe15048910b307fd19462d9c6988fc5dca61284ed

SHA512
2f235ed7bdc2c75c36738a37adecb4c84f0a9b170bd08842c4338d7ca7f1a47c3bf87ab7625c62f180567e312ae2d3c0ec5058db4e4525ed24b83263c85a5880

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoIK.exe

Filesize
203KB

MD5
0f5e961c49729b09bbe5338cd20119f5

SHA1
6e608e72acea7a0f6e10cb91beda09fc168ace04

SHA256
21479e64c6bf8d223bb7796f9ea9946eae325c9ca59bb752057a29a0360f9b5f

SHA512
fd4467e8423567e5058a24f473123eb17f3cf2b60ad63a0444157e2f1168e00ddef7e7027987448811cd7d2a13185a2a787ead38935e59dc0893e99820421444

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEMY.exe

Filesize
206KB

MD5
b949c3d7cc2162a18ebb3acbd5c68d05

SHA1
590b829421f7c21c70c8c6e49f46beff0343c741

SHA256
c8afe0d401c50a5c654127392f130dd0c22ccdbe5c21c128b23a92d698abd279

SHA512
8976038b9a8532dd8b43a4ad839d3801891bd311330e22a8a8357fb7ff314b921a39c15800347430233bf2f6d72129a8894746c9771e83d371b508205be6e8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMIA.exe

Filesize
190KB

MD5
bdcb93b74dc34dd7225725e2531de1b9

SHA1
be9d44bf9e331cd8c930a7bea910cc930cf52d5e

SHA256
b0074799516a19deda1a6571b7accfece7adb662257106f5546ec568896e8adf

SHA512
74a49ba5e403ebe3fedbbe06585b87338a92efa2e6c4ff7c5578e399b2c22561b665531f3e4f81022d1cf9e22f7b55d90fdb95531f8a71e86ec54635db7d4560

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYi.exe

Filesize
202KB

MD5
82bc289ea63634ba7a17071434ec8f79

SHA1
9b8c1b2ad9a52fcdb0ffdeafd108be585331d35f

SHA256
d1dfb876ef1a894aaee3b55758eb6cc7d4e0a724ed5a27b8b802b26ad4a59b3e

SHA512
1b692998f305240caeccc34ac37ec956dd91649e31d73b812d9894a6c30f3064f8fb85a6406eb29b322c5073b9c42d80bef8f199ee00970d85453f1c26bf1f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwYg.exe

Filesize
201KB

MD5
01482a39ecce0bab4cd9c0e88b2fe694

SHA1
32dc9d26f3d39d9aca6aedd145df4ad03e31b5f3

SHA256
87428dfba614343eaf43c3a9a00fa1d79fbd8adae671adde2e7ef8a0e25061c8

SHA512
2c665a82aac5b3fc4f461614348a5114b9f5181f0c938ffd88f6d1fc23b1418a2680070eba13151707f29ad3e50196ec0280e8daefe9d6efaebf411a7df3a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAQo.exe

Filesize
812KB

MD5
836b86a3aff0cc857fa461acff3606f6

SHA1
af89bc461e12aa86027c931d2c34651ab76e716c

SHA256
6b4f543c6d0d21b1ce46f1d5044b8d4cde41d5e8c47328aff37d72e18398da5d

SHA512
ab0ef297411fe585411300ef561860aa7dadfae64dfefdb0711813de06071df296038abc78201cfd82af7f61a43fe251fded631b324dda499ec82e0f5cc5bb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIYY.exe

Filesize
187KB

MD5
71842df58e2714854b9c714de960c711

SHA1
eae9d33a15e2f646f8277d803ca037a4aefdbf38

SHA256
d5b839aabf291e8e0b493e1894d3f4dae500bece6ad2534fa4c6a0d951ffc195

SHA512
ba794c84db8d59edbd6310822b0bf31b24a451e3e33e8a254ff24721486f46530299d66e70c61a0ad47c0f10a271029379d77421107ebe2f7937761327c4cbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYga.exe

Filesize
573KB

MD5
d76a6c1594e3c7f7622bea8a17888f51

SHA1
d204a4b42fafb65dbf1b01990a4d1e3ef0e17c3d

SHA256
bde9d76daf6d62ae07cce969fb850a7ac6adf0bde78e59b7393555415cf96853

SHA512
a5a507cd82f74efae9945842cdfed3c45069a299870fbeaa7c0fdd4ca79fb653a8af6c5c663a714884053a3b75be567b337931659e6b62bd3c977f2d6bc66da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcsO.exe

Filesize
476KB

MD5
ccdbe98ccb93c925f7483569c9d1bf19

SHA1
17ce65fe0363f6c483df272ab8d36d14c24c6770

SHA256
62d4dcfcfbe2e727e0785b818f51ac4c55db31eaf7db5238586d560312460944

SHA512
cfab90eb6d8b146520b5202c1b3792bcfe529d85bfa536ae82c3f5a9a7acdb8d5a891229d702eedb771632e989b30499c1191ac877f11a466e837b6a6fc4460c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIgo.exe

Filesize
193KB

MD5
d717088a6a81cd17301b74fe53bd9231

SHA1
40b1b2830d3000a98c9fc820064fa3c58a6c4097

SHA256
487e188e6f3a60345f84e258572ce51731161ce01d6a51a5a349c9b8dbe6a83e

SHA512
b5c455b88ee14f5b472f7d14c80c69e51620d6d4cf0f6c159a891becdbdca43784182cfcdfc6adebbab4b3dcfcf12e7d81b451312cdd5f61f75cc5805b832701

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUMg.exe

Filesize
1.8MB

MD5
db64016568661604265b97feab14c220

SHA1
960260ac27b65d8828c463df739a62a1b8e26fe8

SHA256
22bdf790b5a6ffdc1461286174c18ab6ff55587b8f3895755466b817ccaa9e8a

SHA512
6e0cad221c8c1c03bbf1ea6e76bf8f7a0b31c1395962272f3bab6586f84307bd9d445205a05d733f2e3c0e71ddf49f34072e42bca303c396567bfe559b62fb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkIe.exe

Filesize
186KB

MD5
7e95450e9967e80617dd85babef29474

SHA1
158592192a404d059870ca60175e738d7117d0ad

SHA256
93df43ce8f9ac9c3dae7bfd4d64e57a454a959a2012aff2e3f42570acf1c60a7

SHA512
39f4eb59b3fc7c53386dbcb5baba05d1b1a770816d822d8a07440a1dce71ce9a496fcbfb8b5eb63309824c9d193f1f8c9d602a4a229688939db21d5b76b2b3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkoO.exe

Filesize
183KB

MD5
33ffd9c8253729f85678d0b81d8570e4

SHA1
dc86b80577c8499e10e903c519b1ccf204999b79

SHA256
2369b262b752c5cb3a0720f828dc1054e7cd40d3a172caa78d3ac3db5bbd5f9c

SHA512
317dbbf54d1f0beaf049585ace7f45364242cee6ab6ad81c3b878cef53039a0a86ae7f8aa0c18fd828605571f82b44baa2bbe70086cad06e13a6ed8256013baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAwS.exe

Filesize
202KB

MD5
50ae8c135e5cf3667857607284247d09

SHA1
71c28bee413ef471e4a71867bc408c575d175f52

SHA256
ceb81de6ad90827218bf83ddb3f091ef9c2e2a6ad56fcc43fd453830c27ad03b

SHA512
99a36a1c2faf0da09c33c8c3b6afd9129ed1241110d379e9ef3773f1f5a767f2f0a7afcb48c9911d0b7c7a811f66546e957cae79ce1b8804c46028f75e5f4f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYe.exe

Filesize
347KB

MD5
27e4602350d0ecd6d030583e42498d03

SHA1
49fd030ec3d3699f3d34736b0fe2435e95b6d621

SHA256
efd68fde9fad619e18403137530e18f57479377c7bbbb9936e9111104607f787

SHA512
dba34f3fc3308e3a7cc3acb0983945d34b5dddf9b0767ece5b27b1fb7a71f5733f90bc3658e0b76666ab16428d9feeaca2bcaac1e9c3c56fbcc2623231714135

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAU.exe

Filesize
813KB

MD5
557c724aac03688a392f1fe28ca4a628

SHA1
126e500bd30fc2b23904b143b7fad68ab57258b0

SHA256
75b1fc5fb13e52dc3b246fc89095dee9db55d79bb3b4651a58db37c5ea7aea4f

SHA512
e3205396c9457abc82212f4ae112acafaedea8ac62c88d1ce4ef15102f71d7d52d9c551b7c512e49f61689336518b00d848b2785e8b60bd87cf7b232cb37ec58

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYW.exe

Filesize
201KB

MD5
82097600391fd2e44fa36d14679495f5

SHA1
d3178cf522978c43f053a7be9bb6b0c47ef1fbd3

SHA256
93c5ab8a7a8ef932dcfbdfd34441572b621c594b3214aed9dbf53bf1cd2a1ce1

SHA512
e96a029d0727095bdca4c2fb94795b30f5635ae647e96be95b100b6f97c7fed0a322d37689633867f87cb5f87c2118aa77e39f61c688cea621a17e4d47a8b7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwG.exe

Filesize
198KB

MD5
17c5b694af92ed4ddf4289133642f458

SHA1
b8334cb887e00e6a157e66d232c343c03a5d10d2

SHA256
4fedd545851bee1100e1b6af9a97612e0b2e451ef227fe008b4cf144ce8ade5d

SHA512
ce21ac4d35d34383942454aa4214fc8fa1a053d9a84f51eb7a03d5dd6bc36bc4a50f7863322274d64400abbd2e4d864ac7a3f461c011e32cd1ec57e3c4148fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScYW.exe

Filesize
199KB

MD5
e53c82639894dc9e6b8292e6aa031082

SHA1
d135c7198506b8a8cd7079235c2f79b99c478d48

SHA256
faf4722d1636dbec1697aa614aa64e563a42ea84b93f4f3d668b69d6575e2c71

SHA512
2d99cdeaaa04108a79b0be7d652bbcfeda6559dbd7502dd03499354c01a17bb88944a65c66bc587c7fd724dfb3dfc6c857067937d53b8112dd512ea255799655

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgIK.exe

Filesize
202KB

MD5
44d74681df436963c467b3fb1fa6138d

SHA1
84469daceedbb60c2bb465b4cb1bd418838df788

SHA256
3abc5d98fb71e2c06c9ce46916ce55f4b1492b3d586a532c5692b36d3289d4e4

SHA512
af14d04eff1cf4a2af75717f248029fe060b192b2827ad28bf6d80cb581c111160d3cd7123c9148ad11f47409ad901f2fa19242a71e11d5523a239eb9c788260

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQw.exe

Filesize
204KB

MD5
7459ff9d1d0b06605f8ccb22f5351c5e

SHA1
046f4f550c479c6200d5f1f0bef564a15c338670

SHA256
36da111172a10d5442d36b319176f2c617605123c6ad3a1e4f04cfc949a71b7e

SHA512
c9bac7e2ff8967d27695b113024b5dfc3ae130d62fd06d8c0358ab1f14366e8bd4304c6b7cf85cf37f4f7174ad9fc4796ebf0b4efa61fdda06eed0a62277c64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkUm.exe

Filesize
1.4MB

MD5
a6aca3d7f870470c260342276acf0688

SHA1
17a769b960107f7fb8fa0a6e4722d983039bc196

SHA256
a688f5afaecbcc29b19f5a667bd97a7fe997365981340f3ce1fc083e4b462c59

SHA512
072a34ae2066fbcc5a5191060eb6d78a6d71aabc24d44db6160e69557c699408a1518b603ca485e3e0b5815cb74a7d8c172a15180e3d710bff975f249e164349

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usoq.exe

Filesize
1.5MB

MD5
f68a95de94302a1fe99215fdae2a4e0f

SHA1
c1ba8c49d5e748443ad770b810eda71e006d9339

SHA256
81b8409b8261a5a2447158d833891347e1efa0d2cdb6707dc8525129b0187cf9

SHA512
9931b99984e7850c13988248da1decf0ed3e0078cb83586fa3a2fc01529a378ff8da4d004d6b2f27dab37bfd0c703d495abedd0539e869fad1f024906c502e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwMY.exe

Filesize
198KB

MD5
205f11bc8ac8a59cf76fae827d601361

SHA1
e6047c2cae7f0c536cce18c96a59cd067bb4f09e

SHA256
f7a074df0c7454af7a9f92f1f08b8cae17bff2420fe5c636b17aeb3b75a49063

SHA512
4d5f4d27b2f73fd766690b7060504cef7a625923cbbf69a9318f0527ab68e03025745d99158983c783cf57cb8e17aa60a4b02a2d5af8dd876ad450b86ed11000

Download Submit
C:\Users\Admin\AppData\Local\Temp\VOQkUUoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAoW.exe

Filesize
211KB

MD5
524fc2e059cf1e6fd6dcea5ec0a89740

SHA1
7cf2c47efd7f9489da2a47036efc2d9e80aee8f1

SHA256
e93063be920b3d3bff50843e9dc106aba1132b3334802f5e9f83eac8d93ae0b7

SHA512
f14ebaaa8e65dc470583c0c42d5bd488ebe538f9824e9703ad325e3351ed8179a2a9975a00ace94d71849dc90a5d2cf21ca05018380b8b24f062f3934f5539b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIkU.exe

Filesize
185KB

MD5
d65695b6d272cb6fa9646fd77de71087

SHA1
175b767266ffe537f489e882804d16644ccb605f

SHA256
4a5526fd94cc317c9ceaa0b5788f78e6e27909d40a8aeb78a30f98f3aac0b0d8

SHA512
8db62cf5fecbb9534b38b43ac491573bcc9fd63b0e5c4aa57cfa99adcf68f98f37b5576d6c7d465e84ed901f18b30eda027b0228b22cd67641ec4bf46123d474

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMge.exe

Filesize
194KB

MD5
115c7b4dc48c4bde501adabbfd25c661

SHA1
17f5f78f2740685c088c13f9cc858a810c89cbba

SHA256
6c9ad2e1aea748f903ae521708a196ee77a30fa9ba6276654bd9b30f67308d74

SHA512
6dc989f7c14d28f935a3f0a5b8a6cc5dcd29c97887be5b245580113892331638dbcbefb4e8da008bc0c84580c0c4faee539323ed5d1a3f8a53d02c9dbe7e4fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYe.exe

Filesize
201KB

MD5
bdeff5a7fcddc55773359a7a583231b3

SHA1
af6ac0df91c4f6cd51def04b3ade72839681c85a

SHA256
f740b54d5e47b2c14f0428d233520b437418fdc36f8b2230807d53c7ac2f9674

SHA512
eb518ce58c0a92c67a87f396d7f23e770d8483ac5fcd298d1752a4113011664318fea0c3ab39cbd413cad991461096bb7754e1aac2aba57328fa8db4f27b2bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcwk.exe

Filesize
192KB

MD5
4a90c0a8b16b1eaf77b4c97a93827389

SHA1
6b1b1b55b58dec76605033b037e50a0448a40a9c

SHA256
18e7b49cbee1cf6ff7ad8360702c2a4cee7f43aa6d0382e2fe83cb184377c284

SHA512
3aa462d9a3aa78f33322f4cd420e1c03d323249ded6cb8721325173e689abed548cc68529bdd0eec9278a5479a552c18487be2600b54a1a36c3255854e5fc3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsMY.exe

Filesize
191KB

MD5
b7aee742ce484d7aa3d59d5dc5c6b3c9

SHA1
1b8222b79cfad4ae865ca3da0c8ce34a724a9c5d

SHA256
ee9b9c92340c8791470402c2c7ef44ca1b1290ee8be4c39eb9a552060dcabb3c

SHA512
c42e9c3ada44782d7ff3d19dbbe80aa88a3adf219c336b949ee24aa453515cabafba85fe4d8796d94036ea0f3b412b5b1f637e8b987691c66b61919092e376a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WscM.exe

Filesize
770KB

MD5
2cc3c4a2c47ca4a07ced61bc24b2b394

SHA1
fdf7db43b9b6d9c2a34281ce5cc9406cacc75571

SHA256
2b38c2010f5074f6c1acd9f64f7125375b99ae84ce27dfcaefb3a56b1c291014

SHA512
cf3c13da7b7d502ddf2b205328b3847f4688bdaea0e17381cf000d97b88712b440010808f0cdef240d55764139b6d2370c71a47e532dfd3537d13dee03cf38ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wskw.exe

Filesize
795KB

MD5
813d393e353ba0ee09b679e1ffe7ce57

SHA1
ac4b436abf03b889e6b4f03d8a122b2fb490f10e

SHA256
9f95c76a0936acef632f76b168898e1727f57316278857fe33c19acb0b027660

SHA512
d07fae2b4d11625492e37d1d7eee34b795aa3ab1873c66dd29ef0b36601ce89ac910016f1c9a045ba3a002a376486dfca33fa38dc37a4b998bc5a85a88470a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYe.exe

Filesize
184KB

MD5
5e6f742037852a8898bb2a139389d7a0

SHA1
5a171ee4a7698f1c714f85b16572b35657e8f169

SHA256
045e0eaae60e31d02148290e0c47ec76fb9c2ae9cabbf19f67a1f2c375060268

SHA512
d4075a20b2d4774464f261844855df9bebebc63aea5190541ab5d72dd7585f2420f6164bc12dd6568934e8857f32b598b16969cb61cb6aa50fc5f74244566b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYEu.exe

Filesize
1002KB

MD5
24c107af01dd1f28412e4a0806a3ba52

SHA1
e45fd118bac28ee161e633a708cadf451122d811

SHA256
60bcc7cb79200cf60aafbc390210afdab1af6983c998bb4210c2fad1378a7914

SHA512
520407d981952051daf7ec98e7efbeaeaecfa050adf7a7d944566692e03a5230a0585cf4aba4259e7e1a03bd050b0477d8652a8ee7a0e931e6f76d5a04f8f5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYwW.exe

Filesize
813KB

MD5
187e95c9899277c6fe27d6875b3636cd

SHA1
7d46bd769edf30c4d647183b5929ec2227e25a6f

SHA256
f2e563a1eca47b3c6a2af97d70bd060f5abdb9192d99ca2a0a5c2c52d09ede21

SHA512
555275ce39793c6cc49fe56bb61a62f81debdbe6635b65dfb37b9b55965e8400a3d47323797798138feefb36470c2fcce6bfb22e3fd7bfc98e49f55f2bbf4937

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yccu.exe

Filesize
5.9MB

MD5
1a16b86e55199d31a40a65819c9b5d70

SHA1
4284eadb6ac3c750688f3265792d2e579c6c54c3

SHA256
3505fc679677a3640b8f544aa53befa92ea7d459afac159c2ad53033e410d541

SHA512
e10236420112c8c22898217d7368767d60ba1995c381869268884d3836fe2191956c785a3fc8619a6044f487eb3a9fc48b53acbed648e34f7177091a76d0e1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6f7a6e87bacfb38f63af467530d6e0d1ff2a4a4ed9a7a32063920a67b0057d0

Filesize
1KB

MD5
d33a50f0fababa2847acf20252a9f61b

SHA1
73974a804f079a1f99d5acf6ab12b3cf23f00ede

SHA256
a4728343f87e45e79f5923432f035182afaa63c26db0259b680637f7ec8498c1

SHA512
d6b9a891bead8f26221a8f571f67c74c5c0ae975bf62fb631388301419ebcec1844a491f5149f2d11c1314ad2c80b039982c56ea84d34268fa11f9680b16f4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMwE.exe

Filesize
1.3MB

MD5
5f304a68ecd98d75112673fcb676bc69

SHA1
b521a7fb9c4a73042bcc3a3b5e55bbc1aaea281d

SHA256
83fc35315fe22883eaf587e0d37b7aa767afe1601d412eed041a2f7aa913ab76

SHA512
c2b238d41b0b7f38f621f3788c3ac41713605846ffd1c0fa9c7af3b547935c2603eab23e147da43e2dda435e3f624f0611e5a7b0fbea1cf3519f3ef513237ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUW.exe

Filesize
230KB

MD5
7b19f09987f9a1cf2ca310935e75525e

SHA1
4e7a854f666b9e26b47f5a1634492d9e695e2d43

SHA256
f87385950745a0cb304793a4d6ba6cbb551be82db6e62757b5ea1dccd5bfb89e

SHA512
0eba091fdadf92b224c443868ebb6c736cfd9b50d8bd92a48c7232b9f2969e614bc882f106c3a759801662267fc2218b13aec0ea9750571176b611054f388ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUUW.exe

Filesize
221KB

MD5
570bfeea0ed8738dec7e9be5e85ea0b5

SHA1
2d30ccab2ad59aac913909a672d3006fa6aed06c

SHA256
16990683b1f637d82541120f115796ee5c62ba61a13957c1c63b13c8e0125eaf

SHA512
46db370adbfcbe1daac70f544201acd99328a03e5a02145b5b4c66a39962c888852989edc71d5895c9288f14cc91c980d147acb4ca3e8de06c7355c42b9f5088

Download Submit
C:\Users\Admin\AppData\Local\Temp\akIm.exe

Filesize
194KB

MD5
97aa754554c694ebf793ce6324590c96

SHA1
4619460e634a8b3aeef8859e7ddca4ce9fa59f6e

SHA256
3d4018840cc75dcfe31b97a86e1843a1638c97f56230aa9c80f4ec565e5f6dcd

SHA512
acb1e91bb38ccfe7bc8358198a40acbea727a7854402fcfa4bca752a6e496488269811de01d2bdb386ff4eb02975ad62dae6f5ee4e49ef86ac1e3e3cae2eaf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoEQ.exe

Filesize
227KB

MD5
18aae15b076bfee61d4f2f8563895533

SHA1
c0b6ddb31c7cb04397c49c22836c50c862d27176

SHA256
3ba7f75247d78cf57f6b733e82b5d388765e9d7b42f4ea50e88a8cbd40794760

SHA512
da0b7965dc389de3cb84e616448926901a2decdfad41c26d839dd8adcaa001a6d6cef8350d1441e5ad4ace17bc85abf284ed3990fa75cb41e80c10efc3b87c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwA.exe

Filesize
187KB

MD5
b9083270bcffbd5aed9b5ea1dc399da9

SHA1
5113d26e3d07f54c220d692137366871d38d87d6

SHA256
9c5149fe5889a77923416e5c1422c4b1f91654120159edad96d0168e14732c71

SHA512
c84ae1d9c87e4e372288a08997a96c48e6d6b904f77100749d5b1ee8e90b91e34de2825a436436d9bd9ff2135a85e89fbf165fc9bd62e79e077b4be49d8fba92

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEAK.exe

Filesize
921KB

MD5
e14cbe60e535d9009a9ab225e737c1b3

SHA1
4649cafe7247fade0865b74006860639aedbfe9d

SHA256
c81f13ceba11bd87618e1129aa9af3cea5c1045ea503b86239baae527aa5d420

SHA512
a9cd99b217507f38880b07f7754001af2acd0d70fee43be379db741bef2c676f4a167545f2a8e2b4733f402d4f5812db67d47fef87865a8135ad39cf2362d688

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgcS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMcw.exe

Filesize
218KB

MD5
2d2b01289530c56dcc752a1a5676a2e5

SHA1
14fb17e59247e2c706ccd8daf6f073b62d958766

SHA256
9b54ffd717b61cd6f84b82065659c7bd77beefd1f9d8af8fdfe97f83789bd71a

SHA512
4da680ed5f75cbe1724b500c7216f79d36cac83913e47ccfb2772045f00f7884afcb6bd02d2dbbf2b34ad6ceea39f67b1ba7a3151b82b47c8b64b9848ba4e97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekce.exe

Filesize
223KB

MD5
49afbb35eaf2ea0f70880a41db810ba9

SHA1
0ecd054baea30b622772cdb9818fa9fb87ffe517

SHA256
cd7dbf3408078ea67c8a713065e7dbed0d3a698be9c63b1c957cdb548f52adfb

SHA512
0a2344528af64f533fe06ece7e910bc93bd18c9dcbf4111e4ebf0f0f0458c1f9c1238d43ae85fe0591bce5f17de03901969d5e4d8ee9e5b285e13a5bf5cf1f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\esIe.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewMw.exe

Filesize
450KB

MD5
1def85a212925b55a78f0da56116b6e0

SHA1
23c708f9703a7cbf0272ae9e1622ad40d5eefb49

SHA256
3080e62a1bb43c6cd2ea83bab935394d34c9a97b2972b5adce181cbd71590511

SHA512
c88ed7cd4a45db9417e21cc5340db14b828155d741c9f7978412cc13998522b33d3b99ed25efc96dfc6a3cb4c7e572e940a916a28995d42e6d37065fff043682

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggAq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYs.exe

Filesize
332KB

MD5
7076d78a4cd4d5788da859d44f024614

SHA1
311c7c24fc61f3a56efa27c09f86d0209abdd1d5

SHA256
876da4476fba26b1333baf2706edf1f154cd1f025d69fe1e1830a11bd2512546

SHA512
6978fc032954e1c972b5c5311defab9ef04e6a7393f2863d93e2af78066810eb84ccaa5aeb270b4f91e081987956d696dcdc59e0849386a0abdbc09a755e8554

Download Submit
C:\Users\Admin\AppData\Local\Temp\gowo.exe

Filesize
189KB

MD5
66d0f9b64f23231cff1b224898865026

SHA1
18463a24e32ab67e2006a9516b7d8138344a717e

SHA256
0734aa0dd33579bd2b32c2907323a10b2461fd72a8b80cf6ca4c42f5ed881648

SHA512
04c03a70ddf88ec5cb3d7978f594cc1fc9301d7293425e7a12c8ade9da397761a5ca0436c87e0ad70ae49ea826430236e1c7b260e6f3a1535b2973b5365ba6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEAI.exe

Filesize
193KB

MD5
b71815cf92bc6f26f2d841057f201d76

SHA1
8dd8f2726fc0181cf2477df14c6bea1d086f419f

SHA256
360ec73d9c46f0b6e736ecc4f122ef12b2c7193d1b25dbc934394524c09e66b6

SHA512
c9c1b876893863a7d7acb1a0d110e8ac90d5d3780bf1e9b33dc6da3f678c4bc1e50228eb7b0292c2be67818756cdf6077a5772960933327c668023da57f1815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEsW.exe

Filesize
209KB

MD5
74fa4f6ac93bb2b4893ead134a688c7e

SHA1
07d9a335e0799d458a529643bbdfa0cebd2af9b0

SHA256
7485fc84b32d4e47400b7dbc7b1f092eb3918531e1f83d6e0a093a19a772c391

SHA512
de5dd7c5b23a5bfb2b989cf6369b01f4d2b6e6f7965a65df39beadb4741ebd3dc0a36bd68e9507ce0bb15754bc3db790ca11f96087b57603d789843348178ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIAG.exe

Filesize
219KB

MD5
100d71d9b0f75764d7691846ff6bd535

SHA1
97e7d7cf871f449d395a9dcdb96e9b558f787632

SHA256
37d3e816070ba1c70a4716c2d9b59e06d4228141fca1a8ccca0f2adb86166ec4

SHA512
c73cc530bf4e231312267cf2107c4987bc2753adfcef040e1ac7002999532b2db298d1cc59caae8e04d607b9cb563cd1ba6349607248ebf0f1538be85ff921bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMW.exe

Filesize
202KB

MD5
02dc5e800b1de7f2b66595ba3a156127

SHA1
678074d86845c38c08fca00f6755093899d8a773

SHA256
893134ca39456ed1e0276ffe6d07f0534702371c4ed053427b3b26701da5bba4

SHA512
d330640d42ba05a11845cbaaa6261a60ec4dcb923f5e648033ca27d86ea10deeb6d3882e21c2164b9a03e04199b1d3995fe085c6b37fc021accc69584fa23e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQkO.exe

Filesize
186KB

MD5
fe3b3119a2c44e6879e0338e35c9a0f0

SHA1
f16886b484a53912518ba65833cb49a0779b6be0

SHA256
54ac9af0e82376bc7f10124984415b86f31d4d7fb98483ca62f3d13d3eac2f43

SHA512
821ee2dc1b2cac7e6f035c7d3a768b0e9597fc94d873fa7aa615f4e024c7148bd5f6b82fca177b8aa3ee659271648dc216270e7017cf86daf47dba67ca02be4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\icoU.exe

Filesize
201KB

MD5
bad85d464d29d26c9b7252d72969af5d

SHA1
3e6384487c01c21b10552f831e832e62ac4ec47b

SHA256
7bbafbf2816e29e17b0e9c88b02ee35501b8a68c7fb4c25da84d3d218cb45fb0

SHA512
e058610bb65996fac4d16e6a96d9263b838fc8d11d8e8a057ff0b44ca9a39b218a14a4fcc7689932c4e7d4a1569bf5cd95d4f8842f9e0dca0c434db7bbe13645

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEsO.exe

Filesize
205KB

MD5
1a1f83277f6dba4c14522c935797f22f

SHA1
a8575adcb98cdb5edeaf3d1801b690ef9728d305

SHA256
fed24028c266eaa3b77f52d09e57ac3c94d7ad4f5bb6d1ab6eb3be45a755ba3d

SHA512
4efdf4a91518594acc536063bd86c19e69c4802780f0e73ee68d291de6ccad2be8f4bc71d52982ef6f56dc7780bc46b209933050b1902a988d649779bdbf5206

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwg.exe

Filesize
184KB

MD5
5aad2da54855d3974b37312710d27792

SHA1
addade344389832816e0f825b37f7c2123d3edd2

SHA256
a73cdc4d345df34e399d93385da544a40518a106d03418af46641ace896a2a3e

SHA512
ee8c170772d121fb69a1900e0c0e6b867afe03dfc39743665f286f0bb123ead6cb0c5e03195a12849653df67073a7573868119b52d489e65f0ea1f25525410e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkUi.exe

Filesize
251KB

MD5
18cae5f850312ab72933bd2920ce65df

SHA1
e3347b169a3f59d7aeb6a061ac694322111108d3

SHA256
ef841ac6c225ea924a922176e1db8d636aedfd0f0cc739c996c6b10234ffc2a7

SHA512
797380e74452253ba0f5e29a48cb2802897873351008a09f8a2b4f12aeae21df975574b6bb22ae4b66f44b8a562033928618c131b6c3cd4fd68471c1e108cf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkgC.exe

Filesize
566KB

MD5
e24ca8079bd9960a1f882587c21868a3

SHA1
4f8b0c9d33f9aca6e220059fd06b26a9d1201c34

SHA256
da7ea06e90b5f9eebee62ef806d1e0ef0bafb2da96baea605448db3c9295bdba

SHA512
4dfd69636933cda74078b2360263c64c73306574f082bb545c32e93d6dfd6a72609eddf86920a0c1d3b175cb84ae55c49dbf7f4c04de962313a1ed96d7e4acc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEcs.exe

Filesize
204KB

MD5
909c92ccbf681b2e906a5670ed62e331

SHA1
2477029b34aefd9d85340c925cab3b74f01d38a8

SHA256
7cc56a2c13e3b150a1bafe5e1f4477cb619778555ee4b69b0403ce10fb4a0994

SHA512
8cb7785b6bf754cd376e9e8f51341cac6494a75a7b0a4535f5301cd7ea6c69039aa0eaf12ee19a616a89d803f240c0207c0d44244a797c0190144bcfce2cc845

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYAY.exe

Filesize
196KB

MD5
320245d62e3e9a6ac1d92c7d57409b7a

SHA1
45585c880258d82b8b6d00741c6a2b247f9bc75f

SHA256
0de7d01a74e9989a889991a16e54fd665b4d1e40457be67c89049552e29f2622

SHA512
8ed65acb5b76a7eeef8d52ecbac9785002d2335776a8151497b93fa303a560dfdfed21786df8aa26929d52ab6406f8c796366b3adda0d68efe2092ed3a30ff04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkga.exe

Filesize
197KB

MD5
da124d32b0caca9a095c67956e18b6a7

SHA1
a1bda13a40af4814f427c86bcbaa35365dbf3611

SHA256
a24e482406d4ccf5ad931674f98c8793de27de79d54ad63c56748075e836c58a

SHA512
354ff779d00045d27b3044727021047fe6c199861b8244506518e59418f2ae7de3d289ecab136917f97f5496d524b978e2abc2c2cbd3ae8b47c70a5ddb84b633

Download Submit
C:\Users\Admin\AppData\Local\Temp\msEQ.exe

Filesize
642KB

MD5
4a00c6c0edd38fb385a90469eb256f54

SHA1
7c2c69e97dd91f68a4a9ec292089f9b8a0a3e099

SHA256
d3f7ba49173a23de4beff0599daa2176167de32819a59685889ad2899795b420

SHA512
aa8efe193d1974c3fa44a820c98c457355d946cb88a55fbf326310cfa8bc95894b697889be904a3e045511bc020f026ae85e44e49589d428ca0b77af8979a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIww.exe

Filesize
200KB

MD5
6baeca99937c9d63d2cb24adf7353021

SHA1
6891acc6e7a193a4470ebe7ecdc0e91aa487a2ee

SHA256
1ab275301301fe1a1bebd24059042f4026f8bd58edb2f49bc21830057b998d4e

SHA512
f6ed957041e027b42a85ba436a98465344683be72b91849b72118819da6e0cc2922bc31a819a9d789b083a095a0b84a29cfcca5f31cb26bb75aa4daf12f4bb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMIo.ico

Filesize
4KB

MD5
c7fffc3e71c7197b5f9daaea510aac10

SHA1
23262fb8038c093ac32d6a34effbede5de5e880d

SHA256
71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865

SHA512
c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQM.exe

Filesize
565KB

MD5
a6715a8ef04e59a9e5e44158dd0c6e7c

SHA1
cd362fd3bda00fcc5bf22a6f1ab9ac9917047fe5

SHA256
d00411ddd75c8c2c93773feeea42b12b9b0e99b82fb624cb9de4ef6ad59b3ea1

SHA512
ffd2970a86859afa75bde96e0a8856bd4f2e005281edd2b91b56b80c6f0819096dfb961497bf577e34765f5d87eddf7c9718c37139681376d943c7586ad567e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oogg.exe

Filesize
378KB

MD5
980ffe3aecf7ef270a00821177539d95

SHA1
0f7acbcb522c9c6e07884eec2eab7da6b1bca31e

SHA256
7508c535a3926ff9798b5a2f10ea6e6a86b9b468f0412ba745bf5373124b4954

SHA512
853cc0c21a325af549f1eadc72ba089e7c2ad46c3f9a0cc664d33ab52b200d1388e584022defd76a645ce8b6c363d0969ed2086bc260e4e2160f1c47f2c6043f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMcg.exe

Filesize
221KB

MD5
5982e71e786057447cf90dc73beec2c8

SHA1
e033a7af4b2b189f12088bf5bb6c1f0d3d16ba41

SHA256
0c966cfd4eb6d7fb94ae5c4163146e57de98e5919d3634b2cf34d1be14b278f7

SHA512
4255bcae84e3b443fbd99fd98602ed1a5b6b889b0f9f2110b51d2b51abde2d47ca9dba074032fed58fbeb426bc70a5768f0e1a3e58dc1262e553469b9913e46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQEy.exe

Filesize
195KB

MD5
58656e95532eb2a93c6c325516706e8f

SHA1
a01d3133dbc2406e337f1a1dd095a7dc51a654e3

SHA256
51063c46f38877d8861271e4aa1da2cb0d341b4274161c4e558c234223a15acc

SHA512
4267bc8667873b305ffe03e45dd7b6122d17c8b9af73f683fa036fca738a3dd2d7107da0f27f4b6850dabd51e0fc563aef90e4355e6caaa2cd4ff5575de803b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQYO.exe

Filesize
205KB

MD5
7749c3026e64e57deca12450a06d53ef

SHA1
7f4fece36e4db1d7172357cd5b9ee2a17cb1c99d

SHA256
61e3c8720e015cb435b51c3cb8afc252d5257bbf5a129e835d8a2595be89b3e0

SHA512
2f0708fcee23dfcbd4b58d61fcc0c70ab5162414ffc7ddc67195b8649cc4407b8d9eb33ce36d459a4f59fffa6e1adb28e3268b6fde2ceaad696ed6468eeb4dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUE.exe

Filesize
198KB

MD5
305122263a55be11460eb23e852feae3

SHA1
57bd6bd6df163e5d4cbb841a54c0f40ac5ff7902

SHA256
a5cbbb26396a04583c50379e91ca441cf91a3bbe69eb87b4693ddfaa416d7f03

SHA512
311f1a019b2b258141638759e1ba2b042d6d7396509da844c191999afc855148d7e13d8bf3ca66845540962614b54fa3ed744f6649dd1e060de68bad684b5c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwko.exe

Filesize
198KB

MD5
e72ff0654aab3b71d007d4ac2ab3b2fe

SHA1
4271432d4ec2cc6bdedf95da0c44d3af409feadc

SHA256
06258aaf8135a6ed3ee0c08e567e21cb16c4c374dba67a421318a89188527e88

SHA512
09b7ad9ed6dabfa869b5fd990ce9abe975216e82a294f944838d8c142ae84d545b9adf14a404545914e1ebd33cc0568056ede57471e653ea255cc59c3cdab7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAEy.exe

Filesize
640KB

MD5
d69d5b00c280488988c4529b6c6130cc

SHA1
82b409d7fae3792c5c347c0a39b5570785d21190

SHA256
1a1873f878a06c960303a47c77db44947c126757ce4fd88d128de36819ad4ab9

SHA512
f2c08e457efc32d4e781bef60ecdbd524d47d64e55d29f995227f10de941b7068e66d527e22beab8db7e5f0596b61887150b6463ec570006582359dcdf57ba2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwC.exe

Filesize
206KB

MD5
44e1cc9415169b6253c5641e94db8acb

SHA1
f0e4a155ad71d2924d82716fefbee7242b8aeaad

SHA256
ada800493600193dba439165c259210372080a199043d105aca22285902ca1a5

SHA512
ff548d532d4c11febed8c765bd7eb0f45f54a394b59b6f4df27f7af21298aeadd19b0891c0f62dad9f5833068af72c0ed11c25de2cb58b116e75f4622ef47526

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwy.exe

Filesize
204KB

MD5
45232d9a47860b6a564ff5fcee28e8e0

SHA1
13999dfb3563922d38d5b141928e3f437556aa5d

SHA256
415214431c4d86b3d54965f078b66b36566bfb407f22332728997317ab0e66f8

SHA512
312be7571c09befde0afd85b4608dea991ee6c71384a66f8dc73156e0b90b5abbdcf5a02f89f9ac48a42e28eed0d20e8cdaf4b8dd3f71127658e4666548538cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUoM.exe

Filesize
208KB

MD5
76cc98cf8fa7fa51d04b8a8d3c48126c

SHA1
da0a246c20214045ac05817d7a04ce8ba554f563

SHA256
e18dbc93b548d783d9f3e9e21737b89f0b394fde1470f2e491d5d4cef02b3486

SHA512
cb9a4bce9b5cc94ec9ca175bdc966591535df1d7230877a7f3fd2dfc32ebdffed39993ccaaf32c77647cfcf8b9cac264a38b770da8aebb1dcf975a9286b10864

Download Submit
C:\Users\Admin\AppData\Local\Temp\swkE.exe

Filesize
200KB

MD5
c537e78a08a1a63ec3c4330c8d178f7c

SHA1
92559019bc2f40ffb1419b88c5182ae7852fb41c

SHA256
cf39f7d881ca24b7cbf3f45201f453589be31406aaca28481bdd96a360d4ac3e

SHA512
26a2038aae13404151663b4caef1fae84f5524aad5fb10333f277d17a928e3efa1ef6ccd2a1e3fb307b90682fd07c632bb797014c3fb94d94d6bc53e76194821

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIoI.exe

Filesize
222KB

MD5
3382f740292589cf0fc4b1dd8a1b11a7

SHA1
fc550f5a86c177243f36f3745387b6ec49e15ece

SHA256
a356def7108e2785d5b959a4c3e953365c02fce374bde4ecda2aee0fb91c9a1a

SHA512
50e901eb1de5e20b3681fbc4e8c67d351b35e14c029f944292dd57dc0b0cb95fef2e04612e51ab6741d90ff5f3aa1daa1e701af26b6b658c6b77d1088446381c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIwq.exe

Filesize
787KB

MD5
7c3b9eec8d4ff7bc875dce0aedcdf0be

SHA1
32de5a03af665ef757179fe1e2924ca7863b9c19

SHA256
529275f79aa876d4637ee6558a8aea14c2d5e868d6b55b57b9f88263cb38407d

SHA512
2f193940ee90dcddd7c8070279e5217d269226ec0cbc78a0b2ffa7f63aedf573da9d9c7a49992e5da92bbeded7f5a600ae50bc8b9b7567e6fb82e846cb7a902e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUIE.exe

Filesize
794KB

MD5
d62193162f810e3221421287315f0320

SHA1
3656abfb8a5c8bcfc176e9492b189581b32862e8

SHA256
f7f3a714c06b977173efa90fa5611bdcdaf6e9f3a86522080ac264a317c8c523

SHA512
dd36ee0f4bbe53e98722ae6c4486b3c0323b8154a26f651fcc1b5215229dc56537ec02d7d77d4e9f6c30fac555ff63fd94fec075717403f436fe3250ea0ebfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMYa.exe

Filesize
208KB

MD5
6b01ae205e047137236d7ffabe6839fc

SHA1
74c2eb52fa68f4728150e96ed2801c26979faebd

SHA256
90a22e8535226b765a8b14830de3478697de1664be0b37ac6c2b73127d86936c

SHA512
a63067158903c671e3f5dd5942b735b8d1702a3f131120b170c2eb0c43be0c28f8d6d07bd211d6d96693505a38e0e8371fa4f32358171ad44d6ccb0436fe6610

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUW.exe

Filesize
1.8MB

MD5
88fe89cd1f70ca454d2efac3e6744055

SHA1
919d7fe6b1be03cd11435084bff1afd4bf179701

SHA256
8306df923a37f00f218d822d90b9c4f9fd826b04c5ed2ae0754d67a880f89cf1

SHA512
b67ef5a58a16dca380d9e92a332086ad127228934028f33b7e387927f738119d13e85d2515b077e7a9135d1bf9f5867040fe646c62242f2757334a36bda40cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogg.exe

Filesize
190KB

MD5
9956892c23723a25f8340a8fc5030bdf

SHA1
56510be26b6aa4cee288856d7bfca7efd52fba76

SHA256
f233700728f19c52b10fc29261dc0c512fab8c865bd4a8cd9a82813be958b910

SHA512
0c87f3cf8f53e75ca8f55176382141a6c36a54b91243c9789a720f281981bf89e6cb46e64f4e1f39cac83452cb2102e7c5ceecfe9665efada0300aa9c53bddfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMkU.exe

Filesize
431KB

MD5
1191934a5c2161bda126bf8898215549

SHA1
4d1c93cc64b9a483923e7b0c92eadbcdb484592c

SHA256
19ca846bf9284e7ce19cd7a2ec84b173a0270584ce9a32dc3015b2e4409efa42

SHA512
eef629fd1065e6220d711ca0ce98a9d45c1093f879ead3ae9a4b14d62e75fab013934e7055736bd1e0b83c09f840caaf113ec53738ccfeda3e557807b1388702

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUoy.exe

Filesize
187KB

MD5
0d3493694408e51d9a03c94e3b121947

SHA1
1a3ca0979fa7c5a6498c21ace46b3be1a269551b

SHA256
3efaf458a13cd0887cff33aaaf6cefba92c3ebd10ece8a6cf32a65480764976c

SHA512
abbf45ffc72c736f06dbb89f21542e9699e2ab1325d64bbe86504d89affb65e43c50397e38f458832c24c533e7b12c6e561d4763faed8b849653484543b9df9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yogw.exe

Filesize
324KB

MD5
aeb3bf22ac21c5605bf4e71c8011f622

SHA1
23a076ac5feb9d0b8951b183496eaaee35cf9a3b

SHA256
674ba65ae4b76bf022645f34dedb026aebdfbd4f7472531484f7734f4c3c7c81

SHA512
e7b03ed9bb347315126ac75e681027a1f241754150375e757bdb63326f28b7465198b43ec0c3bc7f9724e3d00a66646f8ecf58fb9f05c6aca56f74fb8d17797d

Download Submit
memory/312-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/400-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/460-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/704-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/704-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/832-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-630-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-621-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1188-674-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-780-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1252-656-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1256-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-683-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-675-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1596-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1660-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1880-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2120-585-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-702-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2428-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-419-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-277-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-402-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-719-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-711-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3216-639-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3364-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3372-744-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3380-445-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3424-844-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3444-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3444-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3508-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3556-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3828-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3880-612-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3928-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3932-519-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3932-531-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3960-604-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4020-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4020-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4056-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4056-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4124-523-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4172-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4172-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4312-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4312-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4316-684-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4316-692-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4340-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4368-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4408-647-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4432-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4448-655-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4448-666-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4460-295-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4472-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4476-366-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4488-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4488-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4548-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4696-620-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4760-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-550-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-505-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-710-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4972-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4972-542-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4996-182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5088-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5092-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5096-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download