25aa906488ecd75d67ecd7a9e620da17cfa341fb1f2ea26e9388c5efeeb7a1bf

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561ae02e1e738b522ea1feb1a1475580N.exe
Size

121KB
MD5

561ae02e1e738b522ea1feb1a1475580
SHA1

f160c95c205b28dd4512e872f00fd3af0935e429
SHA256

25aa906488ecd75d67ecd7a9e620da17cfa341fb1f2ea26e9388c5efeeb7a1bf
SHA512

922d137d3bbdd50e869f899bbd3a53194ecef4e0a78b65d30a8d677df9c7e5658bd7eba0ad57f6e1b4180b4656ccf0dfe7786833af5c40d8ccbd35cbd6028352
SSDEEP

3072:iFrmfrydPCAewNgSbDSfxEWVHhEE8q8888888888888888888H:SmOhAKjVES/

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ZuwcccMg.exe

Executes dropped EXE 2 IoCs

pid	Process
4896	ZuwcccMg.exe
4796	OcoskYIM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zccQckwY.exe = "C:\\ProgramData\\yGIoEAQo\\zccQckwY.exe"	561ae02e1e738b522ea1feb1a1475580N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZuwcccMg.exe = "C:\\Users\\Admin\\zAcgkwsk\\ZuwcccMg.exe"	561ae02e1e738b522ea1feb1a1475580N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OcoskYIM.exe = "C:\\ProgramData\\scQYAIoU\\OcoskYIM.exe"	561ae02e1e738b522ea1feb1a1475580N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZuwcccMg.exe = "C:\\Users\\Admin\\zAcgkwsk\\ZuwcccMg.exe"	ZuwcccMg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OcoskYIM.exe = "C:\\ProgramData\\scQYAIoU\\OcoskYIM.exe"	OcoskYIM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oigIEsUw.exe = "C:\\Users\\Admin\\deskYwIo\\oigIEsUw.exe"	561ae02e1e738b522ea1feb1a1475580N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4720	908	WerFault.exe	1309
2648	1972	WerFault.exe	1310

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZuwcccMg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oigIEsUw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561ae02e1e738b522ea1feb1a1475580N.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1504	reg.exe
3076	reg.exe
1600	reg.exe
3544	reg.exe
908	reg.exe
4924	reg.exe
800	reg.exe
620	reg.exe
5000	reg.exe
4928	reg.exe
5040	reg.exe
2688	reg.exe
4960	reg.exe
1504	reg.exe
2944	reg.exe
4632	reg.exe
840	reg.exe
4036	reg.exe
4832	reg.exe
3760	reg.exe
4852	reg.exe
4996	reg.exe
2824	reg.exe
3952	reg.exe
1852	reg.exe
3452	reg.exe
1488	reg.exe
1412	reg.exe
4636	reg.exe
1088	reg.exe
3952	reg.exe
4924	reg.exe
1952	reg.exe
1312	reg.exe
2916	reg.exe
3700	reg.exe
4608	reg.exe
2016	reg.exe
4332	reg.exe
3948	reg.exe
4744	reg.exe
4656	reg.exe
2016	reg.exe
1988	reg.exe
744	reg.exe
4640	reg.exe
908	reg.exe
4512	reg.exe
3372	reg.exe
1572	reg.exe
2268	reg.exe
2412	reg.exe
4728	reg.exe
3760	reg.exe
4108	reg.exe
3700	reg.exe
3372	reg.exe
4196	reg.exe
1976	reg.exe
1840	reg.exe
4052	reg.exe
4596	reg.exe
3736	reg.exe
908	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	561ae02e1e738b522ea1feb1a1475580N.exe
4956	561ae02e1e738b522ea1feb1a1475580N.exe
4956	561ae02e1e738b522ea1feb1a1475580N.exe
4956	561ae02e1e738b522ea1feb1a1475580N.exe
3996	561ae02e1e738b522ea1feb1a1475580N.exe
3996	561ae02e1e738b522ea1feb1a1475580N.exe
3996	561ae02e1e738b522ea1feb1a1475580N.exe
3996	561ae02e1e738b522ea1feb1a1475580N.exe
4024	561ae02e1e738b522ea1feb1a1475580N.exe
4024	561ae02e1e738b522ea1feb1a1475580N.exe
4024	561ae02e1e738b522ea1feb1a1475580N.exe
4024	561ae02e1e738b522ea1feb1a1475580N.exe
5068	561ae02e1e738b522ea1feb1a1475580N.exe
5068	561ae02e1e738b522ea1feb1a1475580N.exe
5068	561ae02e1e738b522ea1feb1a1475580N.exe
5068	561ae02e1e738b522ea1feb1a1475580N.exe
4564	561ae02e1e738b522ea1feb1a1475580N.exe
4564	561ae02e1e738b522ea1feb1a1475580N.exe
4564	561ae02e1e738b522ea1feb1a1475580N.exe
4564	561ae02e1e738b522ea1feb1a1475580N.exe
4176	561ae02e1e738b522ea1feb1a1475580N.exe
4176	561ae02e1e738b522ea1feb1a1475580N.exe
4176	561ae02e1e738b522ea1feb1a1475580N.exe
4176	561ae02e1e738b522ea1feb1a1475580N.exe
2844	561ae02e1e738b522ea1feb1a1475580N.exe
2844	561ae02e1e738b522ea1feb1a1475580N.exe
2844	561ae02e1e738b522ea1feb1a1475580N.exe
2844	561ae02e1e738b522ea1feb1a1475580N.exe
1940	561ae02e1e738b522ea1feb1a1475580N.exe
1940	561ae02e1e738b522ea1feb1a1475580N.exe
1940	561ae02e1e738b522ea1feb1a1475580N.exe
1940	561ae02e1e738b522ea1feb1a1475580N.exe
3888	561ae02e1e738b522ea1feb1a1475580N.exe
3888	561ae02e1e738b522ea1feb1a1475580N.exe
3888	561ae02e1e738b522ea1feb1a1475580N.exe
3888	561ae02e1e738b522ea1feb1a1475580N.exe
2320	561ae02e1e738b522ea1feb1a1475580N.exe
2320	561ae02e1e738b522ea1feb1a1475580N.exe
2320	561ae02e1e738b522ea1feb1a1475580N.exe
2320	561ae02e1e738b522ea1feb1a1475580N.exe
4056	561ae02e1e738b522ea1feb1a1475580N.exe
4056	561ae02e1e738b522ea1feb1a1475580N.exe
4056	561ae02e1e738b522ea1feb1a1475580N.exe
4056	561ae02e1e738b522ea1feb1a1475580N.exe
924	561ae02e1e738b522ea1feb1a1475580N.exe
924	561ae02e1e738b522ea1feb1a1475580N.exe
924	561ae02e1e738b522ea1feb1a1475580N.exe
924	561ae02e1e738b522ea1feb1a1475580N.exe
5080	561ae02e1e738b522ea1feb1a1475580N.exe
5080	561ae02e1e738b522ea1feb1a1475580N.exe
5080	561ae02e1e738b522ea1feb1a1475580N.exe
5080	561ae02e1e738b522ea1feb1a1475580N.exe
3620	561ae02e1e738b522ea1feb1a1475580N.exe
3620	561ae02e1e738b522ea1feb1a1475580N.exe
3620	561ae02e1e738b522ea1feb1a1475580N.exe
3620	561ae02e1e738b522ea1feb1a1475580N.exe
2344	561ae02e1e738b522ea1feb1a1475580N.exe
2344	561ae02e1e738b522ea1feb1a1475580N.exe
2344	561ae02e1e738b522ea1feb1a1475580N.exe
2344	561ae02e1e738b522ea1feb1a1475580N.exe
3468	561ae02e1e738b522ea1feb1a1475580N.exe
3468	561ae02e1e738b522ea1feb1a1475580N.exe
3468	561ae02e1e738b522ea1feb1a1475580N.exe
3468	561ae02e1e738b522ea1feb1a1475580N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4896	ZuwcccMg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe
4896	ZuwcccMg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4896	4956	561ae02e1e738b522ea1feb1a1475580N.exe	85
PID 4956 wrote to memory of 4896	4956	561ae02e1e738b522ea1feb1a1475580N.exe	85
PID 4956 wrote to memory of 4896	4956	561ae02e1e738b522ea1feb1a1475580N.exe	85
PID 4956 wrote to memory of 4796	4956	561ae02e1e738b522ea1feb1a1475580N.exe	86
PID 4956 wrote to memory of 4796	4956	561ae02e1e738b522ea1feb1a1475580N.exe	86
PID 4956 wrote to memory of 4796	4956	561ae02e1e738b522ea1feb1a1475580N.exe	86
PID 4956 wrote to memory of 4520	4956	561ae02e1e738b522ea1feb1a1475580N.exe	87
PID 4956 wrote to memory of 4520	4956	561ae02e1e738b522ea1feb1a1475580N.exe	87
PID 4956 wrote to memory of 4520	4956	561ae02e1e738b522ea1feb1a1475580N.exe	87
PID 4956 wrote to memory of 3076	4956	561ae02e1e738b522ea1feb1a1475580N.exe	90
PID 4956 wrote to memory of 3076	4956	561ae02e1e738b522ea1feb1a1475580N.exe	90
PID 4956 wrote to memory of 3076	4956	561ae02e1e738b522ea1feb1a1475580N.exe	90
PID 4956 wrote to memory of 4832	4956	561ae02e1e738b522ea1feb1a1475580N.exe	91
PID 4956 wrote to memory of 4832	4956	561ae02e1e738b522ea1feb1a1475580N.exe	91
PID 4956 wrote to memory of 4832	4956	561ae02e1e738b522ea1feb1a1475580N.exe	91
PID 4956 wrote to memory of 4396	4956	561ae02e1e738b522ea1feb1a1475580N.exe	92
PID 4956 wrote to memory of 4396	4956	561ae02e1e738b522ea1feb1a1475580N.exe	92
PID 4956 wrote to memory of 4396	4956	561ae02e1e738b522ea1feb1a1475580N.exe	92
PID 4956 wrote to memory of 2428	4956	561ae02e1e738b522ea1feb1a1475580N.exe	93
PID 4956 wrote to memory of 2428	4956	561ae02e1e738b522ea1feb1a1475580N.exe	93
PID 4956 wrote to memory of 2428	4956	561ae02e1e738b522ea1feb1a1475580N.exe	93
PID 4520 wrote to memory of 3996	4520	cmd.exe	98
PID 4520 wrote to memory of 3996	4520	cmd.exe	98
PID 4520 wrote to memory of 3996	4520	cmd.exe	98
PID 2428 wrote to memory of 2844	2428	cmd.exe	99
PID 2428 wrote to memory of 2844	2428	cmd.exe	99
PID 2428 wrote to memory of 2844	2428	cmd.exe	99
PID 3996 wrote to memory of 4744	3996	561ae02e1e738b522ea1feb1a1475580N.exe	100
PID 3996 wrote to memory of 4744	3996	561ae02e1e738b522ea1feb1a1475580N.exe	100
PID 3996 wrote to memory of 4744	3996	561ae02e1e738b522ea1feb1a1475580N.exe	100
PID 4744 wrote to memory of 4024	4744	cmd.exe	102
PID 4744 wrote to memory of 4024	4744	cmd.exe	102
PID 4744 wrote to memory of 4024	4744	cmd.exe	102
PID 3996 wrote to memory of 3760	3996	561ae02e1e738b522ea1feb1a1475580N.exe	103
PID 3996 wrote to memory of 3760	3996	561ae02e1e738b522ea1feb1a1475580N.exe	103
PID 3996 wrote to memory of 3760	3996	561ae02e1e738b522ea1feb1a1475580N.exe	103
PID 3996 wrote to memory of 2272	3996	561ae02e1e738b522ea1feb1a1475580N.exe	104
PID 3996 wrote to memory of 2272	3996	561ae02e1e738b522ea1feb1a1475580N.exe	104
PID 3996 wrote to memory of 2272	3996	561ae02e1e738b522ea1feb1a1475580N.exe	104
PID 3996 wrote to memory of 640	3996	561ae02e1e738b522ea1feb1a1475580N.exe	105
PID 3996 wrote to memory of 640	3996	561ae02e1e738b522ea1feb1a1475580N.exe	105
PID 3996 wrote to memory of 640	3996	561ae02e1e738b522ea1feb1a1475580N.exe	105
PID 3996 wrote to memory of 2792	3996	561ae02e1e738b522ea1feb1a1475580N.exe	106
PID 3996 wrote to memory of 2792	3996	561ae02e1e738b522ea1feb1a1475580N.exe	106
PID 3996 wrote to memory of 2792	3996	561ae02e1e738b522ea1feb1a1475580N.exe	106
PID 2792 wrote to memory of 5116	2792	cmd.exe	111
PID 2792 wrote to memory of 5116	2792	cmd.exe	111
PID 2792 wrote to memory of 5116	2792	cmd.exe	111
PID 4024 wrote to memory of 3712	4024	561ae02e1e738b522ea1feb1a1475580N.exe	112
PID 4024 wrote to memory of 3712	4024	561ae02e1e738b522ea1feb1a1475580N.exe	112
PID 4024 wrote to memory of 3712	4024	561ae02e1e738b522ea1feb1a1475580N.exe	112
PID 3712 wrote to memory of 5068	3712	cmd.exe	114
PID 3712 wrote to memory of 5068	3712	cmd.exe	114
PID 3712 wrote to memory of 5068	3712	cmd.exe	114
PID 4024 wrote to memory of 1276	4024	561ae02e1e738b522ea1feb1a1475580N.exe	115
PID 4024 wrote to memory of 1276	4024	561ae02e1e738b522ea1feb1a1475580N.exe	115
PID 4024 wrote to memory of 1276	4024	561ae02e1e738b522ea1feb1a1475580N.exe	115
PID 4024 wrote to memory of 3992	4024	561ae02e1e738b522ea1feb1a1475580N.exe	116
PID 4024 wrote to memory of 3992	4024	561ae02e1e738b522ea1feb1a1475580N.exe	116
PID 4024 wrote to memory of 3992	4024	561ae02e1e738b522ea1feb1a1475580N.exe	116
PID 4024 wrote to memory of 4924	4024	561ae02e1e738b522ea1feb1a1475580N.exe	117
PID 4024 wrote to memory of 4924	4024	561ae02e1e738b522ea1feb1a1475580N.exe	117
PID 4024 wrote to memory of 4924	4024	561ae02e1e738b522ea1feb1a1475580N.exe	117
PID 4024 wrote to memory of 2900	4024	561ae02e1e738b522ea1feb1a1475580N.exe	118

C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
"C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\zAcgkwsk\ZuwcccMg.exe
  "C:\Users\Admin\zAcgkwsk\ZuwcccMg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4896
- C:\ProgramData\scQYAIoU\OcoskYIM.exe
  "C:\ProgramData\scQYAIoU\OcoskYIM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
    C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        8⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        10⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        12⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        14⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        16⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        18⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        20⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        24⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        26⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        28⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        30⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        32⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        33⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        34⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        35⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        36⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        37⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        38⤵
        
        PID:4284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        39⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        40⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        42⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        43⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        45⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        46⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        47⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        48⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        49⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        50⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        51⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        52⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        53⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        54⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        55⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        56⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        57⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        58⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        59⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        60⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        61⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        62⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        63⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        64⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        65⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        66⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        67⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        68⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        69⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        70⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        71⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        72⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        73⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        74⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        76⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        77⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        78⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        79⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        80⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        81⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        82⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        83⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        85⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        86⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        87⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        88⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        89⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        90⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        91⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        92⤵
        
        PID:4924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        93⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        95⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        96⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        97⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        99⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        100⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        101⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        102⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        103⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        104⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        105⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        107⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        108⤵
        
        PID:800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        109⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        110⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        111⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        112⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        114⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        115⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        116⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        117⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        118⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        119⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        120⤵
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        121⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        122⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        123⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        124⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        125⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        127⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        128⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        129⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        130⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        131⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        132⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        133⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        134⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        135⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        136⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        137⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        138⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        139⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        140⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        141⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        142⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        143⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        144⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        145⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        146⤵
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        147⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        148⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        149⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        150⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        151⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        152⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        153⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        154⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        155⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        156⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        157⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        158⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        160⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        161⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        162⤵
        
        PID:624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        163⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        164⤵
        
        PID:3524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        165⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        166⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        168⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        169⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        170⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        171⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        172⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        173⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        174⤵
        
        PID:1412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        175⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        176⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        177⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        178⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        179⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        180⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        182⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        183⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        184⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        185⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        186⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        187⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        188⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        189⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        190⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        191⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        192⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        193⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        194⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        196⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        197⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        198⤵
        
        PID:3152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        199⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        200⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        201⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        202⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        203⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\deskYwIo\oigIEsUw.exe
        
        "C:\Users\Admin\deskYwIo\oigIEsUw.exe"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 228
        205⤵
        Program crash
        
        PID:4720
        
        C:\ProgramData\yGIoEAQo\zccQckwY.exe
        
        "C:\ProgramData\yGIoEAQo\zccQckwY.exe"
        204⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 224
        205⤵
        Program crash
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        205⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N"
        206⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe
        
        C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N
        207⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsooMYYc.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        206⤵
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUIQUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        204⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMwgkAYA.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        202⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkQYscEM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        200⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuQYYcQw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        198⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQEQoksg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        196⤵
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMQcgUQg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        194⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUIsosMA.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        192⤵
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keYIAMgw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        190⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOEcoQkg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        188⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KigUQQcY.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        186⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgAEYEoo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        184⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgUIksQc.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        182⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsAAUcwE.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        180⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcMsEkss.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        178⤵
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqEUYMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        176⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGYgMYwY.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        174⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgwcQUIo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        172⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIkkUsE.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        170⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEQgMUgU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baEAoIMs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        166⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwsAUogQ.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        164⤵
        
        PID:2784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSccAYoo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        162⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyUUwQgk.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        160⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwooQcok.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        158⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omwsEQwE.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        156⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKAgUYso.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        154⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuYIIQAk.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        152⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOAswIoM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        150⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCAAMYwU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        148⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEMwIMAw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        146⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCUIwgEY.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        144⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOskosss.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOswUYcs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        140⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGMkMoAo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        138⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEUEEwUI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        136⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hakkYQMI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        134⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQUgkwQw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        132⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEooQsAs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        130⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIgEEoAs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        128⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaEcwwAA.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        126⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQcsEsMM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        124⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYkYgkoc.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        122⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKkkUowg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOIwggUQ.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        118⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIUwgkoI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        116⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwsUQAgs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        114⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcYYMgYU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        112⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKEMgQkI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        110⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgosoIcM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        108⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgoQoogw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        106⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwcIQMcM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        104⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoMIggAU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        102⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogoEAkMU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        100⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYcgQUEI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        98⤵
        
        PID:3956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGkoIYQA.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        96⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWcIMMok.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        94⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUsgIgMw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        92⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUQMQkMo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        90⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuUIsUUg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        88⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCMokocs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        86⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwQAoEEs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        84⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWEswswU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        82⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqUMQwAU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        80⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biAcIUcg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEkgkgQk.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSAMkEoM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        74⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUAkQYkM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        72⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQcwEoAo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        70⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEssYAkE.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        68⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOwgYscg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        66⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUAYYAks.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        64⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCMEEgMM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        62⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsQEIYcI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        60⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIIcQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        58⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueAgskMU.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        56⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcAMwIYE.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        54⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TawcgMgM.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        52⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGUIIccw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        50⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwoogwkI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        48⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQcEwYoI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        46⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSUoskgc.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        44⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQwQAwcg.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgoMAQEE.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        40⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmcskcEo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        38⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOsIsYYA.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        36⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwIkEgIY.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        34⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BScYkMwo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        32⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyQkUQcI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        30⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAgQUgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        28⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaAckQQs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        26⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwckIkII.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        24⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSocIAIA.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        22⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIEIIQUI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        20⤵
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoIggQoo.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        18⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsIQMkkw.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        16⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASsMEkQs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        14⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEUocgME.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        12⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCogAwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        10⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmAYosAs.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3100
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3992
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rewwQgok.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
        6⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2272
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hegEwMMI.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4832
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUAwkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2844

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1972 -ip 1972
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 908 -ip 908
1⤵
PID:2928

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
142KB

MD5
9f5a905eec696ed83178b4f4aa8400d7

SHA1
71feda9d402978de78fbfbbea2cc0b384b37ca53

SHA256
bc1017ad2267db83b0e6cf37bb753acb340ab02951c293ce8db7aff5b1bf7571

SHA512
766326570ac1dc7991f6a4a5f4220fb7111d2936c7f2e4fb03f060e269fa4f8760f8d4b16a80bf1e72cab51c89bc7b096ed7ade57c3381a0279eb1d171bcd010

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
697KB

MD5
513c2fd6525a32b4a84c308e7e5a5662

SHA1
b214725b3cb6a7aef4e3bfc37b5a9b877451b275

SHA256
709865a09ef800d894d7c58fd3c092645fa38356f0914933b509b8df0d1fbc74

SHA512
2fa174375c5c55b5a98fc04543bac0fdfd471810ca10b2fcbe7d442f4f83a5ff3ad5eaf2d29dbe8f15497747ee32496414b75089fac7e42704b5d31957d1c1da

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
722KB

MD5
17b6601556d0b7f995949800786245b1

SHA1
2380bbb6014470db18620a2cc83a9736794338d7

SHA256
5a145a73a7b781c84247d2bf7e11ecd345ffe3cdbce374ad0058c6f11d79a623

SHA512
b63e27d6203a34748f908cdc6193fb62fff59c543421692e7c97f76f3495b8115335c23cffa24257040dd792bcef9d1ccc955c27d49279efb9066b278369415f

Download Submit
C:\ProgramData\scQYAIoU\OcoskYIM.exe

Filesize
109KB

MD5
879267a42f37d2f64c4c37a2d0f0e9db

SHA1
a34391bcbbd3bb97c584db8fab9142c679624a59

SHA256
04350b6aefda075b204e14874e16f7367d87930f22f1d24371190cb26c47c577

SHA512
ed1a820ab2df2e95013ecfce645ce56f988d993a6272d6433e2d83b22aa70773e62e5babdd4bee2c80cabcdc6e961c478aa5ed45994e7ac7c69a66c16aaf7e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
117KB

MD5
366ece15f8f241331cf080c6ef5c0ff1

SHA1
c12c431a3c068b43f945c4377587058554e428ea

SHA256
a1910cd584daf5f512333374d585b80a3d392568ff7f7e3e14bb1a4a56694268

SHA512
116026281f077d48f289191f10ecaad177b52870f7a2ae945272b23f863d0a0a52697cfdb401cb8588add70ebcc9dfa79429e0bf9b195323333fc63e7907e551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
349KB

MD5
25ce07c2b10541730e1309a9551cca28

SHA1
4cd72a2c8d17c582528d89462d9fea8fe76ed4e2

SHA256
14cd1895c651f9ee7bd05fd2bacda09a120a1cf289596e59907518b5a23d8604

SHA512
2c7f226c6e9ce80610dfdbd0d16ff6484dd5f3ee204bc162549b81b2d1ebfa86e092f552bd7ad0bc770bbc0e12f14ad38b73a72a0e6d4a2301aef741b11823a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

Filesize
111KB

MD5
d6bfdd22c68fe11e6041a7856b269f16

SHA1
b0b64a1732f5e113b84b44fc9cf2f5b7094ebcd8

SHA256
b6dfc3f999bb90e8485f74149ab00ddebf047d09f8ba7312833411e7f762f514

SHA512
62d585f171c948e4fc7cc7281fb48a51c52f56c876c79ef36fd2187a691ec23f789b4d7a5def81c8999d433a206cefbe7d47dcc877a1fc9d22e9e369ae82c9de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
111KB

MD5
725879f3dc0792e869e6b6a1998770c4

SHA1
424d546a52a84d358de0bd6c706db27528534f84

SHA256
99a5c012eabd0af3f238f2f0319642a4fe1eccc10ed32f6c3c0d901ee4f7cf6b

SHA512
d069bee4475f8edeaade970f5d0e0690c91b0d89fb4d7690694a0799cd5ef4217125e0828dac26448d00a7695824f0b45c89d7568c93520b746a3c2fbebe2be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
c4950fd648f38b877d87f8ae913fa95f

SHA1
7a609a40197a54bd3e41ef80ec0d0ed903dc79b0

SHA256
cfb3df01e9cea346b436633edb3bba415ffc96209687708280891c437cc6878b

SHA512
e81996a06fed015f12ef1298324f15b99b9043950063d692f83fad73a93969675450dd8a646c958ebfce16cde9b2f35b3c92327b4891676a8e280028cab90d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\561ae02e1e738b522ea1feb1a1475580N

Filesize
7KB

MD5
ce87aac3ccbe9d6befcb8ffa12964622

SHA1
6c0925b88e0402e5f5d29ff69206d17754c57566

SHA256
b120f3f5a76b7998adff90d4fdb6023307d3abfbd8f6cd124111dbe49d55d98d

SHA512
26e4bd411a119f1ab677d08377a673cf8d79e6972080d0eb34c7c8f75469fd73f166c8e1a0df1b1f26a44918f2aee0309fa65e339823353c4952c1656ad86c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAcU.exe

Filesize
110KB

MD5
0b3beb091a17c7263cdcfc49f5e2a007

SHA1
c6009cd60b669149e40147a35e6c42279dddc6ce

SHA256
96ce93b4ed66974f473cade0b83e2cae0d561365562aaea3c48f3d07baf813f2

SHA512
49cb18d2d824b06d7a31cd18e3e0ce039854ff80b0969eeb32c34ccf3b41ed6ea139bbc067a6feb192b22a2eadc418430fabd3d2835cc96a6c0d10a226a1f9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIg.exe

Filesize
112KB

MD5
d02d1d6f3e4cd60821736f074d2301c0

SHA1
aaa8e0359c0f7031799a136d3f109e62d22f2a0e

SHA256
e44997510b680a44b100def0e931b53f9aaa494c96ee917e8e4978c1ff5d4fba

SHA512
6780d9f7b28a3fcfc120fb0e4a4da565262e61722b787e8f1fbe4cf08d8078e8e1e9fcec139f36ef82d6c220294bb53815cc6f96411ac1cedd3606840d63b559

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYE.exe

Filesize
140KB

MD5
86dcf758ac1ffd234ca4c8d5a6f57465

SHA1
3e9960c409c9f8070a07cae3ec3aee852a69b1c3

SHA256
3559378e65629d05fae00e48d7a7ae376169683c714c2fb8b5eba313b9299a43

SHA512
78ba5a322186513828188954313221dd9ecdb5804fb6bc9bf2a51348a866a77121d3ebca20504f26f901fa05a8497e0fab86a9beb4e9e71eac81837df8d65cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkUo.exe

Filesize
117KB

MD5
10393f7458a10aaa45b3777416d30feb

SHA1
20e9389c9f16a9d106d4c72b1e3af0acba9b1816

SHA256
70bc02436a06c13f98747b95d286600b9436010286654cfa8b5c7a1256f879e9

SHA512
71ba60f1ccb16021f6a71217d5bf49c5e82df026fb0c039f132014df4d844ce9a0899db642e8aa69b25a60de02e6c1fa94a6761fd2b2382abc25cd95806f6bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcoQ.exe

Filesize
111KB

MD5
177703a125bc2f2f05f73438e26089e1

SHA1
3a978dce0103c4cc9b26ad317fdb6eb6815c51fe

SHA256
ad5fb0c026ab38355d45344e9b3f86474e484179e67b47376f4c876606817780

SHA512
0438861591a589a1d664c47f74300d4dfc93fa758b9506f159ba3113699808ee6ac22da0cac0c696914a20d85891181f1ccf256add54fbeba229a30a78f91131

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIm.exe

Filesize
111KB

MD5
c2b9ae5d781df5bec585e5be250d8eb6

SHA1
2291ad4c410cda46119187aa626e1d3f6cafdf10

SHA256
1ec6a7b5598edf9e308deaee30aaff87485d6e4d52372d67e9027e8431fa56e4

SHA512
d995e6a652ba8345af300f1a29ddfaffb0c3330d9e71d1508e9a8ee89df004ad414e1e0d825464cff88038da00eab4575d0208167248ed958c4aaca67b817c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoQm.exe

Filesize
112KB

MD5
b140b4568638311e0e907ba7902b09af

SHA1
117d6ee174e02dd2d70b03e07081c80a48ad3c6b

SHA256
b2196f3f1bee664a276e6668efb41b87fbbce6936a32c7f5fc133ae6c8d07f36

SHA512
e58e918dfb0b324dbe88db893afa839dc8c9c17207e044dd3c00be7bec230ea9dd828b2edd9ccb643fbcbd5ce37f6e540ff21f843fa4c64d50b0a7e2e714738b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUa.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsAY.exe

Filesize
565KB

MD5
f82f918733a6ddc154a30df54073a0a1

SHA1
486f5a1f7be9993b03ca6ef086652843cbc1f068

SHA256
285b314a274bb6cf66d7db1494033902951d9c543bf26199e3bec3fdb3738354

SHA512
5559d82f7266df788daaaddb85190f2d8f09d486521573c7abda9bfa46170466f9d80d4276d9a27339ddf27cdbdbe87e3660365e5857584808c0e693ddee9e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsgU.exe

Filesize
120KB

MD5
3e97c026ba482f1c61bc835212bf35eb

SHA1
847c38748b86aa7ff771102aef8497b84b735c33

SHA256
dc70d87118a2fc415ff47f807fc799c6949f28732fb6490b6dbb3118eed8ab01

SHA512
2c784c4f9122e9c565b780f4b07d9315273c2fef0822af4e82e88498abd3ab39b98f24e950588a15f506c7d8a0228b64e5acd204976d50a64552391bc13c3c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEc.exe

Filesize
555KB

MD5
b65229db8935b9d34218329ad7fa0ddb

SHA1
38bc47e2989e2aa779a75eebb0401117f96a6309

SHA256
f6f61ebd131b4dd3d74e1cf571d77c9bf9beb06121f5ad46c09e0798c8e043ab

SHA512
ac2a44b024c518b916fb7f415fd4ab31b357d081209a0a10cff0598606ef97aef46803cbffe8862dd5fe40f94c43859f90919c9289455dae892db11bd14c4c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEME.exe

Filesize
112KB

MD5
01850d2c00895d261d5a3d2653b93c96

SHA1
b0d53a4ed9485eafd5ff7ad8d1538fce510fcf2c

SHA256
11c01230a58526f31ab475bb1cfba904ff6de07df1a9393fda820c87e4cd5180

SHA512
a79380589e1312bd94663d656cfe30eb985e20f2eed8f72f4d72da1966a39a6d2d4d1576bf705e41ccd2349f89dec26adac5209ab10501b03a7cf4ac1ac35a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIm.exe

Filesize
110KB

MD5
c20a9c9bb93285ae9e004b350123fc1f

SHA1
08b378e078331a9b0d0ed23de8f465f9e89d4c1e

SHA256
0b5a5b6fd91869340fd84aea228ae9368edee78ec271509a4a917ea10ecc6424

SHA512
24c24fe1fb21b632c85de90c738fe05d636baa3ee692a88959efe79cdc81f63166d52ff25ccfeccfde02e9fc9f8d1cadc159319ae48f079c7ef164c9a6d1d60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAC.exe

Filesize
111KB

MD5
58061d72d2f5049093d8b104a86dad88

SHA1
532dd471e679611727e41c74199f75240d352b6e

SHA256
8545ee7520e0ed1733c79d78b666ee6688743e6aecea9300bddb2b895cd9f1cc

SHA512
bde0ca2f26b9a31bd15bf2867f77a83ebeaa592e905e3451494af44d1630658965160520b68e6bf806772ae2081e1083502fef225d19486b928433b93d23ca78

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoMe.exe

Filesize
117KB

MD5
54da8b9630f669e2e138c6c862fa9110

SHA1
db8eba9d25f6743fb8b1ad67dbace20572b133fc

SHA256
c6047abce7296b0613ddfa7186d6d446679495e74ba7c3dbe7828dc6600d4ebe

SHA512
6cb5b9b4ece5a6327c308df203edef4eeba9e1ed9d0b65a7f1519fef5a6cb4f6b1529b2d7a80471d37e07dd2490d8b61d6157b4cdb68e842e8d21725916aca56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQAk.exe

Filesize
113KB

MD5
26ffd2dfddad1b628eb1350f8adc656e

SHA1
f868646fd31a4dd283f383b2c72c493dba55e9d8

SHA256
821051980510bf75b3a43af331cd732392086cbe05a406d0d96228ad0148bb22

SHA512
703dd04bb53168d77883378436606f92d46f22cd30320a00defdb4c519ec82ccb32e26049c00d193b4f49246093763198e29bab0dd5fe93229fcdba4356ec1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAIO.exe

Filesize
113KB

MD5
a7a2b58f6b5e80e0f3497130d0162f92

SHA1
315ff89a5fac51e9900c151e4485d812f0518ff8

SHA256
11c2c1c2934c9dee1b5434047163852dc7151a11dfc3fd97215dc7ee24ff34b4

SHA512
f3f69ffd1dce845937e2d0f9b010d1f121b2dd1d00d8a411accebb3250b40d2c405fd8a8cd9884f4aa21b6bd791a38f461e82319714c916eba99bdcd80119e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUM.exe

Filesize
115KB

MD5
4ec95c0ed032f98625412aa09d25a980

SHA1
e432cc20797b7bfd12782583fce4807a55125671

SHA256
98d7d65658af88129b4ed796ec6342262855c106fb9380e1ce6f96d09300d277

SHA512
4e9986daf2ac9ec5b25023430e0cc7b8546b37ba20637bd752ca24454b987732892c3ca27231a92e0eee0dc04883a1a36a407ee475da29c3dcad47ccffe6bf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIUG.exe

Filesize
566KB

MD5
4eece2252d504398b871dd6807990cc6

SHA1
77d9d5a02ae5affad38ae6a6d61091523cf85f5d

SHA256
05f27bb44f7e88c433a87b6579a256cf9aaa4022d6f29317101a59578c2d720e

SHA512
24938804d124d28311a81d8e819d32c49bad26e92e47a7a2f1ff42e9f21217af6d90ffd27b85df5441cc87eec1b36e59b302fc2a399b2d152071414ef1c6b9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQwA.exe

Filesize
720KB

MD5
c2754108927f814bdaec581ae2553093

SHA1
aea003888251771684933d4d4ede41f81a8c2996

SHA256
5fae3cc2b1a932f85b6f6b1d441f1596c341f1278766b2e4cfdce52e9420bb58

SHA512
12d553bb253868d233a7b8979bcfb711487fcb14fc5d49bda7bbff781935adbc34d822ada44c0f8242561c9c7efe6332c1ce263f20aca4326cc5558160a266ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgcw.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Koco.exe

Filesize
111KB

MD5
4012f41c588c3e56c9402befcb48646d

SHA1
7ba7f8d5976ccac4f90ea7b98e397d6b5feddef2

SHA256
2b6b912caed23b9875978bd6f2156589287ded14813dfd993c8e1fa447faecb1

SHA512
fe907aa9e7d082b902e4bad1657b3daa109165b5f9b6aaba59649b7f2c3431c1abdea7f1a03fb7a5e229999915d72999c3bb1f29dcd87ad084fc38c75ac4e534

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIq.exe

Filesize
113KB

MD5
512415541f1940358675f2a0b0688a13

SHA1
3cb30b76cfe61425d7115d17f8629d64f80303ec

SHA256
f7c25b14304f39cfab1a4ccd55a24e08088edd83f3dea46d7daf7cefe16daa7c

SHA512
a9014e58144e0062a3ae0a9f761949684d190ac39205df993952080155c5ea578710a50f8e19ef4a179842968f5fb864e2bd0aac7640de20d2adf7d5fbf515f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUu.exe

Filesize
497KB

MD5
458d02ca49667bee7bdd5fc481f793ca

SHA1
bea357b00cefd1c73beb127a98d55a55999af0c1

SHA256
262a001509be221092aa1ff03ba4fc67bea865c9a95d7ef4ea6cf98be7313d09

SHA512
9bc3a7d2952b1d0d4426bb19ce4a11f0c2539a5a69911ab44a33f2174d44f904459298d36af31588ed419688b7eb2e65bda51179beb0ea511785cc8e08d905d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkEG.exe

Filesize
615KB

MD5
9de4ce54e138f00ad5af74acab4ca248

SHA1
f2a355fa153781dcd383036b6e79e38da90c3973

SHA256
48482e132f778049ffd47ed21a748e44a943a5e9884fb4503ab0629f25d9f310

SHA512
73c3fd1c766e56e3d92e653fcdc2f3f446a057276dfddbd967ec7ae557afe38aa204c2464eaeba2c05fe0992ae4ece7395863c9cf7b3f368a55a295d64b2529f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkQu.exe

Filesize
120KB

MD5
f489677d62405060b7fcaad07dc5887e

SHA1
4847406621e77100bd88e7f4c340b8ce15337cd5

SHA256
42bb5f1661d2292fe18b6b7c783c9b8e698ca03aa43707632cb6f46e23dd1ea1

SHA512
e64979aa8a48e0dd4f207889f2be6f62552c1e2de71a64dc78a9f6b8e070ad643c40f2597db5e1d740bf277ba09e04fa8f3ed6bf616bde665566e220ae39173b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkgk.exe

Filesize
111KB

MD5
8ac1770b8ee39f37854364806a575044

SHA1
e4c061812ecf0155567a84d96aaa80ee8516ea40

SHA256
2e28bfba756b9060bb8a72377f2c9d8df7b74cc080e4359bfc31f8da77919360

SHA512
90fb2ae6d3c097917a15327806b730491aaa8d54b8308e9235324080867ca5df4d1fc61168f4f371ef658763fd0e01ce1e25b8f8f6a487b0c92d4db754255c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwQu.exe

Filesize
115KB

MD5
0c22cc51ebcd549d809d88b7760a1170

SHA1
32126e5a4ce23c3eb9c4ffad1956dcbbdd62c1fd

SHA256
a3c90e76b9e3fbbc8c0bc27d971f86639447bc6375b0663b052054b80c0add69

SHA512
99b225f1bbebe5a80472e18b72a0f92eb94fea974bd45a02d0e845e1ce61b7bbee15c6c2989dcb1ab04b428abb9984ef6d95261a921c95e8ac9a49a521cbea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEcY.exe

Filesize
556KB

MD5
61972ac03937780a1216eb9c20d4c730

SHA1
a2c3c4437894aaf2bd3229fb245243c58c581cb8

SHA256
38c618c6f217fbf874e81e456155f093a47b5bf9b0a1177b094e91ebe29d7336

SHA512
1afcd115e805d54ce6df94d4b0e4393446eb15c44931d5c6b92f02dceaeaad4acf89d0fa7660d54d7f69d0fa0af2a888b482bab352ec89557ec0ec737faea3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\OckS.exe

Filesize
116KB

MD5
d0e6c5d29fe532c82b94ed19a2f9f8f1

SHA1
8646e443245a547898481d3905f3538dd52dfa89

SHA256
4240cdf0289bce17e9a0a84eea2a6dfa6fd9811b7d64c640b382b4191e82382a

SHA512
6c92196920723195206ed3080ff8f622c23e464c8bd23036ed08df9d46b6c177c5efb102adeaea0e5024c3346acacf9d449fa18440c42d1161cad3c11b2e114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgUi.exe

Filesize
125KB

MD5
4894d10c48272778f19aeeaf11682793

SHA1
b4a81f96abd17ca93d7f7b51c27336a390399800

SHA256
bed86a8f02942d0fe58e604e90724d2a41c92f70bce779578ba3ae987d7942c8

SHA512
e2fa29acc9c83fb099a20116e70e790dd408b4e58e43b013f5a569012174ce6ead9af208fc3e9ad5805a3988a7db739cc4aac0a09e6d050791ed2346a49a31f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMkG.exe

Filesize
426KB

MD5
225570c4b409d7a43fadab551fdd77a7

SHA1
da763ce66ac37cec0519fc287f18fa1a1632cc8f

SHA256
829a7a119c464fad3e3b79a208bbcc4a6b651d685ecbc0e9382881d55f04ed46

SHA512
ba1fe4ca2744e2980f5457dcc186be948a4e343f6332163596f361c11d4717736fb595b9df00c639a4bea6cb1d500649bea1a36e070fbb3984889cd32f55cf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgoK.exe

Filesize
111KB

MD5
21ea08ea0a571d4fe6b3e795802d31a7

SHA1
0404066703cb73244fbc73944824fcd223191f9f

SHA256
6238b7f9729be62f3fc09cce980a8e05b29ea64b186a2b2a55e316cec764c349

SHA512
379138f3944cd1e1eb867d5857181180517b9727c61642aa72d7cf875b190338c65b1210a597cdc4b1f63bb5acb2a2879943ba489683b7aa26123c80b4d35cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qskg.exe

Filesize
113KB

MD5
478418b2f561a9e4487c725444d10b2a

SHA1
7136508492efbd696bdccb9d307399f4b810c644

SHA256
82ad639c49192f76d80ee8610e498def3242738b06201490314eff74215a44b9

SHA512
95bbe5c5e952cb4071f8d02f7ce3740e55f3dbaad5e0be8ccfe048680b8563ebb60876110ff568e80da4889ff620b2b83094872eaa536cb076cac0a7b2cdcc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMi.exe

Filesize
111KB

MD5
1748944e3fff674b8e1ac78431f3b75c

SHA1
1a9960a6fa40fd885e316023fffea5946889f801

SHA256
334671f9b079fd716a5fbb56f5646546aa12f0088bf54e7bde22980dd781ee9d

SHA512
c45ce45ec300dd15d77191d75671bdb5c8d8dc2cc81724be1b967a13f79e752fe28b5f57ca20f48634dbb2c6cf11c71d586c17811e44180a65c36be48c3b94f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SswE.exe

Filesize
109KB

MD5
ff1ed1763944688634014441695aa0fb

SHA1
12ce7f1a602bf285deb36a6ab08532bb79b1e248

SHA256
695ab98dab9c19743d9a348f4911ddef16c194747577df59a65f61638ed33154

SHA512
32f01952fc55c6c21e6d7ab9161cb851810c78fbe617986982621d905fabc492d35fb3a57e1a56e55f7d0d7c55d806bcdc410e008529e42357cc1b72f603a7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEAg.exe

Filesize
137KB

MD5
e044b8c39038c1892a99fbaa063a325a

SHA1
7c2e694f2ae499cc059c65126bdb45ecc95d274b

SHA256
871657621d698e4468178b3f934f77abe5f07b5c3890a0bf6431b925c90f7637

SHA512
3c2d6c3f2a18b84fe72789e9b809549447c650433940bbf6e099d0af964313ba1fb7dc416f676a9c0d71b7475d878751ef170726f82ed38a6a1d7044892b7a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIAg.exe

Filesize
112KB

MD5
acc2c4573d9fcbde3e6434a1cec5049d

SHA1
bc4957d17f288cf828927ddf03edd5d33487508f

SHA256
27373ea0f1c2cc240058f2930150eef8423bcb34c46181715a4e98bae0af190f

SHA512
06b17cf009c88c5d72d3ba179174069d72a80b349a624319d4ef02668f0562cc15d4e536677bcd766f107778c32b9232e4102ff0220debe9ebb1437c691241d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIUQ.exe

Filesize
116KB

MD5
6b7c4290f6612e93ed9dd69403f089de

SHA1
6a38838fb68415c59d137918d403adac3cb52335

SHA256
e454f17be9cbeaf2aa20283d6623752434ee4aef42e95d6c28b2104b2ed4de65

SHA512
e1a740acd1d627a25cba378d4333dd88ee2baee597cfeb7502467bdc315a4242fe8ac018800858ca9d9f61ae162ffa0cfba62a047dc2b4c9cd0d310ad055b1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYEw.exe

Filesize
354KB

MD5
71a0bc2bb24822aad911dd42ab894351

SHA1
7379601dae74f1b4bb2a8beab639ab3014d355bf

SHA256
ba2cd2bdd26d55c5135bbb13d389b1ef22dcd1b31366cdf4a681d61795baebac

SHA512
32c07a1e529fcd1e7e57fa8163e9fcbf76c3d3c555b6ea44e26f89407cce6d95796ace99125cf4a4d2198efedffdfefcb06e02b3ce529c99b844e15a5998a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukwm.exe

Filesize
657KB

MD5
f79e477d367c5bd3afbed5f4181e2fca

SHA1
e607c7da96bd6633cd088cd3779f763ce6210229

SHA256
986b291c2b487195fefbe3157d2aa700e1433f15e4ad3f0c4069b78af2529d55

SHA512
ed6ab0c23afa934720c8ab000ed432123d3415a0385bb8293637723ee09cbe6af51dc1811af4fb7fae6a8fa4dc877849d16f94bc84858c8f75240fc46709ad41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uogw.exe

Filesize
110KB

MD5
0c7661b02cdc1b2c13c0b65fea34910a

SHA1
68a468e272386bf11c53c029c4ec518747696aaa

SHA256
630084e7cec65e0adba814d2c1b76139dc0c638c75fcba795cdceccc472b2b55

SHA512
8ad03e6ea53445d1f49c962792e6f190ed47f531dfd7fbbeba6ce0527ee03d6b9f5de3d03ecb149cdd42e498c7963b4e322be0b4a6c25ddbed171a75cd14ba6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsMM.exe

Filesize
149KB

MD5
c936c256b380ef83f190c57769c9b08e

SHA1
d5dacbb5f148bc620d7b2674ac542dacd33f056a

SHA256
8983c970215fab2709de824890a9721963e0812c69749f08c220ae19f375a142

SHA512
ed6276d2ccb22bead9984a2950eeec88f8c7e22585bdd8ba9d32da353e386f5ba3a884ae804aaa3eae65a4bb134832a2482e2a74530f3c2874406d34df589e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAgC.exe

Filesize
119KB

MD5
85269000c09a0ceca6ae040443767cff

SHA1
55bf974472eeff7306b8bda3d0b7755ae081b5be

SHA256
18514e1d3bedbf22bd93e080a13ddfc75c3c277103ff93e9cb0f82e28e65ceee

SHA512
5bcbd07c9da8e5a342b24e2e425b4ef6b543c334f4c9602d1743ea477a23ba82422dbb41433727a17b870255195c718958bfc2c8104d838b1e9b3e8f88da4a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMMo.exe

Filesize
115KB

MD5
13d59bbf6942cbe2733f64e09a0e83da

SHA1
42bad36e67de0406e7e3d143b7b92f2b423dac5b

SHA256
33a3a1386f8ebcab8cf9bc9fe47a767568689184c55710690a6c115d6b31b5a9

SHA512
918b1242c1e8e88e6f43698bf5750653ec20666acef0684cec7af22988fd6da87588d0e9c21002ebaa5adbceab13bf129863a8031b7d10890447afaf9feb8ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQkq.exe

Filesize
111KB

MD5
a4972af42e809eacb68b500c0453804e

SHA1
8d30669e8e72fccf022763912b497584ba85c202

SHA256
b69a9bd43e21dd9bbaefe62941af7d8b68fa01746e8b089e21e0b0afa37f4305

SHA512
0d4c8880949c545a2e13dea59a253fed3e102d6553da2f82ae18f9c0571afe901a67153ac1df269533dda6c55430d66d86e8899047b4f89d79877abdefa4a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYgw.exe

Filesize
1.4MB

MD5
7b4fd8205b6aec740f6fb750452a2493

SHA1
ad16c0b2b8b4ea77d7127d831ae2debf9a23af2b

SHA256
80b1756e77c31ff4d79d9283f1cd0cc55f5e7f03377e6ea57e026a6680834682

SHA512
c73aa65cf69503e657b082bcb5610f21432dd7803865697e885a87412e2879bf12cf8390275cfb25e38ce1749512b337f1d7b91b117e9b5524a488b98fa0dde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcQU.exe

Filesize
110KB

MD5
b205d7857e0f8ec3deabe3dad5901d4e

SHA1
af4556cd2be2416572f4f46e5754376d0dbb82e7

SHA256
3577f2f256d3bfe123b9c5f5ffa50c478b1ae4bbafa13173f9f4dd063d4b2c9a

SHA512
b4d6fd8192ea7185b658e494743d62060ddfd2a7ffc4fba5a1b6a1e97ee838b10df99533774e13b415a8f7dffa3274f057b11a7b00c696909762b9c87059d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycca.exe

Filesize
116KB

MD5
0258c84fa09b18b7d46460efdfef9e8e

SHA1
2ffa3588cab163775b6bc53335d179ea1b2b9ec3

SHA256
ef09e12732a01e9514ea5ac3f556e65678f7d28ee4a1514bd6215bd9b08d678b

SHA512
3b6365e8d462851020788ca9a505a13fc6508e59224fb774a76ed2759406a751ae800bacd8fc3e6753d75fe068c25c8a40f7fa6e8f7217d653dcae24c85a141e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoIu.exe

Filesize
111KB

MD5
5c73de6ca642cd152f3ec28fa9526e20

SHA1
728dc68f14873743533fe1de58728bb1894c725e

SHA256
af4b5e01f6c3d572654f992ca1aff493d094aa1a9cb333b9c366e5af3fbf6b39

SHA512
35e85390b2c7eb14476054bf804e8e8180255f9c5bb162fd5e99e0a20e943764f0544aceaeba26c28a72b5b7f709fe2e48543f16f74b0e336dafd85b273cf7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\acYC.exe

Filesize
113KB

MD5
6497919a462fd606b0e598a2879820be

SHA1
10e51bf18083db7e8fb388743dc76b1a9a92692b

SHA256
c585a15132cfda0e5401ac8683216259321b37cb8cd6346610bbabc05328312d

SHA512
27d9eff41108976981c59b7e7eed5aae68d024f0f41c52f63828abf98428577d72ef26a4bbcfa828d52c18d4149e496fa6b3c082c4344a7a8bb7a5f638eec816

Download Submit
C:\Users\Admin\AppData\Local\Temp\agkC.exe

Filesize
112KB

MD5
f3d65a3fea4a4f20969fcfaa3decb285

SHA1
47d17439521bd4038f7c21a0651d4cbefd1f4151

SHA256
ae73e5a3fb6b634fc58df197cfc9f1f8ebc980d641cb2330bd7b73e10bbc20a7

SHA512
442c4d5644dca1493d3e5ff0980c22fbb4755b0127db3f3d9925581937ad421c574a43ca3254498c05fc7d274c9c1589ae7e07b8c67ee193e06e8be21f198d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\akMY.exe

Filesize
114KB

MD5
89c285b5bb6dc3f4ea5a891aac24aecd

SHA1
9d8fd4ebce8247479d26fc4965be892cda758507

SHA256
b52f29c8bd63a9f173b8ecafcbc3d91bbd6713155c0cb983d6f7fd28e95a6652

SHA512
b82787e6c1a095051a91de838e8efced00e5805c1538d3f4d238ce1ad3fc14ac5190ce47caebc4c12b211196df7645b5e42ea900bede65839ae250d3354d221d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAUu.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQck.exe

Filesize
646KB

MD5
0d4f47819d7b2ab5685722e40dd2bcb7

SHA1
87427d52e942e59dc8d691ea7168e757074d4b53

SHA256
bde866032e75194a7e33ecdcc5f83026c08f20ae04a27f5ebf889038dd7fe3be

SHA512
9594974dd3d920d2cc9ff6b85744bec76394b4110d54804a1d19bc3b3d03826a32bc42bcc5d964d6508995268312caf747d9e54a72a94586c5c16023cc06e46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUQQ.exe

Filesize
531KB

MD5
3734d23fefdea2e0f5c83f906f4f0c8c

SHA1
a056d92ba369a66636a96f5411ab77546105a360

SHA256
ff110c9bd14fefcfc9af0f904e4d0d48d735a2e40d3047d778d09864ff080178

SHA512
113d4e2123abe16a6077c2249ff0ccb115acaf7fe54d24bfb13161a2334b43a531b3da48fd59ceecdad664a74e50552491529c82bbc6bf2c88804fa69f3155de

Download Submit
C:\Users\Admin\AppData\Local\Temp\cckm.exe

Filesize
237KB

MD5
9abe0dd8ba647e106d3df87c18478ac6

SHA1
efaf6d4b3e692d5cf0203d477302a0b70fb8285c

SHA256
44df1c6dbd314884c3d2e669a9e52915d2ed7f9c1475a3462834a82e6d2a72ea

SHA512
a3b7de766c68eb0724d333e3bbcfc5decdf85d033cdb90cf4ad55dafa9f9e18be710d05b0b822484c89dcfaab26c3af9b545f2cfa29d053e19b58defcdcd79a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckIs.exe

Filesize
113KB

MD5
662655f4755f1e38a0588788e6991f41

SHA1
a2b530d91ec80e5521de6b9d4ff089f1caef68bd

SHA256
52def541884cac06d174d7e837ffb664e02586e2181381b47d7fcffb6c35468b

SHA512
b2c45575401fb63566a772d75d8b52c6d9b85b6bef89be6577af6a13259927234c70b7a8439d76163b3416ba148c1938c65b05702620a1adb32f89269488d08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckgW.exe

Filesize
114KB

MD5
b2215a32d262486359133c63a8be3e07

SHA1
e243bfe3a954ee72454f8241e8852d52d083511f

SHA256
4095fc533273ae7969e7e2cc04ef96e97784590e97833c8ff00036a13a793ef6

SHA512
393eaa6806eeb4d0b38ce721ebda2ccea57d1a40168c9a6ef8cfe75668f287db575df1ec1c6b434a94acd929fdf2bd5ea57e23569709b0fe08125b35242710e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\coUK.exe

Filesize
355KB

MD5
1af6e12753ad814e5d47de863dddf9a8

SHA1
8d1c62959e6b18be39f07d840e26c299d0577da7

SHA256
023f96b9fed3dae1256d428bb868d5fa46b77e0df52103348f5671f862a3579d

SHA512
fa91df510f172e4e09ea97ad1152e0fbdcd81a411a892ec1295e8de36cb560422c0be2803bb9e4b24e2d778907e0398ebc32d6d3d250689dc0c71e5c8848e3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsm.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMIq.exe

Filesize
113KB

MD5
e7005e6a2da56e9c9406431094055e06

SHA1
60eadf75278ced5bf7fa367f92079ef9357d3a5e

SHA256
fc992f39de426d02206f2e4f8a13fe484a9ddb4c79eb094eb8c9e8f32d2d8fab

SHA512
43a9e0d958cd8f716b41c877b577f882e6703b2150c5d864365b44aa08e5f99f87835b4e113941351be991e54fc8b6221eba8ba2f3f5aa447d240a7842a17538

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQoW.exe

Filesize
119KB

MD5
00af6eeea00e34686f27a12e5103b73e

SHA1
61be333cff62ecdcafccb7efb41a5d436bfd3b39

SHA256
f0b311c4845ab324ec737ae4ff27295283a8c4576e622e2e798a60a1e0ea5064

SHA512
77b7d1a1d154857b54cd00d06c0d81ec0428f0ab09fe64e364ccf560972c2559ba8495a2bf02deedd77760c821a08d0ad260bdbf05a71df6505c2ad93c04ba0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\egkk.exe

Filesize
237KB

MD5
317676b01207eeadd17f3e9b5342e51d

SHA1
7c19883187deb1538a359694e26e2b68cc31bc56

SHA256
a5465d171be07367639e02446b5c1469775ff498d374ee1166ac5c46dce17a6a

SHA512
6a9d953808d502453074b675cb2b76d84b2f54f206f165b837ecd43afa0dd9770acc97c83d57e4e26136e04186d30c237cb7f5087b2d4eb71f3cd8ddcf1c38e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekQI.exe

Filesize
463KB

MD5
0678fc1bd47c7f2e3a4ea29313e5c674

SHA1
39222172a31bc1cd3c6f2907a778738197727d17

SHA256
93afbb547e99c5cb7ec070aa4b28029f2d9e1541e84db9b768ae9e9cc73113f5

SHA512
e18afcfd411c55cc914edcddad9e4ee82d7efdce03eedb88441843d8a7d485fb28c15c7395ba16909f855f2c42461a948682a8560d84fd503fbf8b19c4ff4fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIMA.exe

Filesize
113KB

MD5
4ff480bb1b1571ec78b27dbd08cb167d

SHA1
e781e269af11905762306854d400344cb6c61252

SHA256
4f5c44ab42961e5f3c44aff5bc4393a354efff1fd75088f7cd9553ca6fb68d4c

SHA512
eafa5d5d463c70d5edd7cae6d0d27ad253e80318a2e348d7c07e0ce8f7ee807c7a14a60aed45cccad8c42c7af496eb50eb4a731bd286cae7b9df4af3b766ec36

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcUw.exe

Filesize
680KB

MD5
ca72ffd6aee00a16e5dcf14d12f00389

SHA1
0a509c3f9543f28e19abb3361a18c9716b239f1f

SHA256
2a4b9d90d015cebe5e1d4d2b6362610dcea848e32c3f5c985c9a46b8209d6ae9

SHA512
664c6db2cd01287c5c089b4cddede4ac5d8f3e3a4fa5c87d2ffb7e654a435b6207439b086ea7e0e1201c26a963fa3ac90452eaa2eb4901b68bed3859e3c3c1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEQm.exe

Filesize
486KB

MD5
4e3de7081917f401826981be73ae6f8a

SHA1
12b0309188ff4cdfbb838800989d60f7411c25cb

SHA256
2707641555f4dc98ee303a7acd2380f6345f71d1d6329ff8f3ba07fd1efb8a6a

SHA512
8755cee47cbc67d95388719b8bc5c9037c00bfaf219cfdc3c2d6859c2c432f793a9b3498ef108fc644a2897515d1386f0bac67c4734b0252e1027da35cda1104

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIYS.exe

Filesize
118KB

MD5
7380b5782e24be94dc4a00e1ac66e585

SHA1
8738dc78900714941e7fa233d2ffc2f5b988522e

SHA256
77d10abde1ed0232f4f698a04dda6d20b0e27fc7efd65f900151de9827bea978

SHA512
27a212697d0e693c63ed362cef46575421779f1e52b8748cc656b91205f99e44d400d2b1abe30d0d08f1848224c8979e83379ad23defad90154f5fbbc34a8678

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYsq.exe

Filesize
857KB

MD5
13c0d0aa3c60264144467a1c8ef19b30

SHA1
349d8ec56dd90f30683478a5dca43da481b8dfaa

SHA256
365d4a0814e2ae10424061725e3b670e7ca02344b2fe6f12a25ff318d42df799

SHA512
4088f12672f4b5066c8bba6103fa6f03186b022d5e7c272638609051899ece77786d4c9aec48e4ea75231b9e2b92fa4a16f14a2b0df6403c6335d727c78bc0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYE.exe

Filesize
111KB

MD5
e641e7beccc8f20fc90be31eb0c494c6

SHA1
db8d9f920c7cd736649d2f040212343ddf9ddf37

SHA256
53ca5a13e62ba1e10bfa2ed33e6dafa7436a12d3216f017df0d1e990436793b1

SHA512
89d46a3a15538875a8232f2f7e51d83c1b84ee54ea853fa9b3323dce82aedfc92084949a966c24eeb3d0cf788e05399ae81e60cd28d869d6e88fb8efba0f6261

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYEg.exe

Filesize
112KB

MD5
491417733c4eb8f5c108a80e22db6a0b

SHA1
de9cd008256837d297cbd4d3776df077b34440ea

SHA256
9b2516143becb0adb6810721f8af41db8848b12ec5003da866b64c41885e64c7

SHA512
9db9354c1dac9ea37973a21928bb2c3af0488654de9320f567604fc59d8a2d34f6883f5156e9472d6e6fcc4b4e43ed0a03db340dfee7c14b0500bbcc5d03c84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgoa.exe

Filesize
138KB

MD5
342fc061ac62a6c07c054b1a5765ae3f

SHA1
ce521e188439699ab5de9827effc7dbddf0db5b7

SHA256
0f11fbfd03584d74e1cee289d7e71d31c05f5733ce4204f0ae3c68a68a637546

SHA512
1de07c179286588929d3f3be755643c24dba5e3cc8630aa454ea8895201e8d75c52a215817ca250ee189bb3a7eb4324ec4338ab353ad457c40e081008d10c967

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkAi.exe

Filesize
117KB

MD5
d2cc2979eff8755937c76371dccc177f

SHA1
c0323e7d3ded3f97aa165900b5057635e7598fc7

SHA256
7e015c209a050550d060934b10f09830c193818cda694888a6638b755149ddf8

SHA512
939c4179e0b37646cb61230396c5b890f34375587e9bb19da629e8324e656091ab64e397a1e24c15ff9ea1d6652fa3d75c09a9971117712dbdd5ad5ded50bc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkkQ.exe

Filesize
790KB

MD5
7e944a30f3120d8497e783b299a148f4

SHA1
92cc20124cbfb9eb75a0a57991ee4f53fe8b0b8d

SHA256
7687a982018ee5ed1028b30b18d1229fb7937116fccd674cae1ad9f8b3c3b92d

SHA512
14a82ed167802c387c8d24dc6bb80e1eed4654258356deef08b3620812996f172b0a8078ea1fa14afbab25254b80297facb81e1b833e8b24f3a9e40bc03f2e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksQq.exe

Filesize
743KB

MD5
e3c4b9c08088beb669704c7f8790437b

SHA1
dc776a9fe35b66ab8136518e6c91ba6e188d089d

SHA256
8b21db78b13f46f89d2a0fbfb685264e09b08d3c2f38c06ca3cb96ab1c9f3374

SHA512
7ae1ccdebeeb3adf983e3beb18fae228512a36489e72d512cf20b4867b37ce445f24ed1a4964da2c0248de50fb5083f5f76eb3c5c41f0b2368fd724e4910d6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUq.exe

Filesize
110KB

MD5
bab539a08e07e2efc2be13d2b6519162

SHA1
69141aa829522546ab5af40550b62145961c37d8

SHA256
6e7083f645833a33f60fd41392ac887fdf667702ccc0b2d8d7595d77ac3f1d83

SHA512
9d7c4bdfc7b95e3b4d866b5b76f3f670b380a1742790ff1650ec94fe2720202918fe6f3a7df9dd8531ff52a243c89b90726e76307b731c3fb320fc105030da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwsw.exe

Filesize
235KB

MD5
aa0423993467f11dbeceb970e0a3cd9f

SHA1
9ec51481ddccfdfb8c661b30f216da6d6c60b7f0

SHA256
5a40ffc22ba306059d8f4a7b272be9b291656e5ae5e2552b7af18f77cdaa0ea5

SHA512
4c04522fb327edcb0a21ab3e0d9c5628bc4365810126ebb4d6796e83341149eef05e2f3b66416113cfea53ab7d27804759241168b3baf4d3075d14b2eddbc032

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMso.exe

Filesize
120KB

MD5
8f34c8fd01499b21e49dcf5d876fed22

SHA1
981755771504ac563327a55b100e2336f71dbc37

SHA256
4cbe5a3c341f2269948e9aba1bc60042bb362aa92a92bf3afd022a1cd1c9830d

SHA512
2dab697468202bc47524bd0204bdb579a52f5dc3f4f566eecb6f87843854eb162fd83ccb029cd96ab0ecc63ff4dea72640be7aa54f13f0460d22bd9b410cc607

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUMQ.exe

Filesize
113KB

MD5
330636836c12d66e14781591e0ea1c3d

SHA1
8d05f6e462169b5a570c2acf12cc485b2b393ea4

SHA256
57c76652ded87e0391075070a10007dce1aef2c7d859291510e56d45b60188f2

SHA512
c462b7d252fc1ac90f80bfc4b916b99bcf9628c98c4dc73b2f0df253f4e4e294b676be0737b4cc98b99bf0e15ee008cee9a0c3bce4d044b62c7a551dc4e5650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYYu.exe

Filesize
746KB

MD5
fbb75e893fe742651904d737384f71c3

SHA1
c3957fb7507f38e33e3e31e2f15e3b183f63ba09

SHA256
67bced1ed0f200d4a76b763c1d5a1c0c1189b3e87387a03d780fc7f5cf3dcc33

SHA512
29eeaa1c2ee0d6b21df8dcd153be0f79d8d098c9ed7fb28fe3ae66854a44e0a5dafea484637353767a969b2dae72cc4c06295a4277a7be09f4d1409e4584ed85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocsK.exe

Filesize
132KB

MD5
f3612d3f56f07db2b8101fce2a73dee4

SHA1
e34387796aa181f6c28290c8de82e0557048eb1b

SHA256
a4f1acd94221f3f26391d9c73f572c3cf2b4968287686d9fe7489a4a755f8888

SHA512
26c13a3d2d0a888e5169ad305fffa91f4372f78f6aec89e59599adcddeb04370155313eb0e4c49e3cbc89769f04d24cfdb8cb5b594e910099aaed03be6a2ee82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAcO.exe

Filesize
109KB

MD5
bb1d7fd83ab42d961e2e18f91ca5df84

SHA1
eaa5621227423d432102ceabae2e511a9ef3cca2

SHA256
820805d8f176e5feb4063b036876bba084645c6f5d786d9762354ac6f09f78c4

SHA512
15ceb69a9169d57d8dad32fa14157a99c18952d5514de374fcc0319d210b6c2ccdc2431710a658c71902b1be55189a853e8239497a72079d1c8f4d151b664c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwYO.exe

Filesize
112KB

MD5
432bee2fffb3e2a6f79e95942001b3d1

SHA1
665f760e2c471d1b22f0013ddc91842540d58f9e

SHA256
dafd594bbb49d647b86dacbda13de6abb5a87e5fff99e8a95c0b8b01c9a38cd7

SHA512
d691aa35808913d8e47672376202477f2ccc017fb626f7d0f974951a87f0eddd2f6d37391aa54c0bc944e9e3a1f65ed785cd3f7a7f2e322ac63c3af64d8f1943

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIS.exe

Filesize
150KB

MD5
32ab6b4fe5bd095dc7c0a5b56c620ab5

SHA1
95a209d27a8314b31f24ab750a8da6ee34916dcb

SHA256
6565eed8e74daaa935885750dde81941ec273c1088da78e11c58375d11676632

SHA512
046025bd59e262d5e59abd84a3707a7866ca1827f06af13e71b5a8349ffda7a17ae7a478bd2e6daf5c9e3e91d7ace070e69dd08e0739b3709e09c536667d936f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYUQ.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYYW.exe

Filesize
111KB

MD5
b11a0f00cb94269d7cc407e6bb5ca13b

SHA1
a5a93d485a25b4861e121b97f4b4168a8ce2c192

SHA256
a75f48529645b787b755d3720589b0fc5c7011c2ded2706faa8804e21b681949

SHA512
daafb78be63e4a46ae5aaa81bc07fafb10d5138efd498eb8c0d0926e0d58826aeb4f02dc46b5a3584a71b376e336b335c642fd4eba81b52e662d6b719dd7d2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgsc.exe

Filesize
154KB

MD5
395b659eb9688e03027cfd119d79dfc9

SHA1
9583bf987589be0f373ecf0e24163b5151c95456

SHA256
844793ceb8a9bbb8e9d4de1b23278e084343602c3699d8f8929978d2ad62502e

SHA512
e6e67cbde4239cd12521663890a40a1c3c3c9ff4c7918fd8270de8330e9d5e4dc4c3735e3d0ad1cd76dc0c267634d4968a57f619b7bc0eaabb9db0aacde693a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgc.exe

Filesize
119KB

MD5
9b336ff577f4f1f5ceb1560c677ce3ee

SHA1
f2d884d8f12645d67898f56fc996a99fd34944a3

SHA256
a82ca560d13f33f91a272be802a12a565cb833843c852e5e264112c5d5d87d3f

SHA512
78a38621c450c324e229cd02b5c36ad55e2df6c9853403bfd97b58656e515f9b05a2125bbcb287f1e98a9da5052164d09d75131c0fd79dde0db5d11db0bbd1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcG.exe

Filesize
111KB

MD5
d4c7fa8ee4f960c2c87b7c66927ec40e

SHA1
160b7e2c11958a03b344e47c87075ef89436013b

SHA256
c0f344c6a5f871e690f301b6708d3eb6052c5bff27105e44c9227ddcaf950a79

SHA512
603f778f604b76afe7518a73e53c5c1b751988b9db885c3a72d6a73508a8dfb89e30e39a8022b3c1ec6a4b03945f7b24b99ba2134bcd8f38f0066ff858cdc1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQcm.exe

Filesize
118KB

MD5
503981c9c0319e55726f9039f661add8

SHA1
3712a3906aa166a8f27a2feec8204bb54587fc00

SHA256
ea32054cb4f1d0f96215bc2ce9e5b9b8e631d5a3e80a775e8ca48093c8cb4674

SHA512
039456e6f8d467998c0ec5019e3df6a1b437bdebc9ec85c321e29fc1423fd17b5d38beef7bd06a2e855b4d73c54f0f3cccfd9b3457fbbe065cf1e031168279de

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYsQ.exe

Filesize
114KB

MD5
a78aa0de868b38fb5d33b8050f86f04a

SHA1
ffbfaed071bfef31e87ffa50100090d3347781ad

SHA256
b8c129dd612ec79534cd25d41457d5623fefa03393fc37bd99edf0b7a0b18a51

SHA512
de58f297f6181e64f38154ac18fdef4e83ed82878c87f85c0c05343cf00cbe78f4e9e6180cde7db985f4ff1082aa4deb69e3dfcea4c8d16dbcd0362c96e98d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYwG.exe

Filesize
1.1MB

MD5
c33a9b1472123f5396c6130a9ee7b17c

SHA1
392a90d72ba7318475f8035d66abf090a1aa9a6e

SHA256
0f624caf7e2947798bf6ac2903c9cb455698b0bacb563fac60229b3fac9d2c51

SHA512
125a1f843aeaef3642a8d4d552f0cbd26727f3d72fbe926622d6166e4b1ffeb76a05abd6490d285f490f5f95654eade6df4b7ff4d29cef293e49d69993b75d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugMy.exe

Filesize
117KB

MD5
a94ab58ae2fb1e63d927170dbe2a5064

SHA1
e5b75448676327e0b1332a6b4b64786b27baeb56

SHA256
ab4b5157bb24e16bcb7f8328f50f7dbb54f28a3ace6115d1a848a05f536d052a

SHA512
7d7a2e9c08ef1ff96f77b0edd668c207d19aa817eca5ea3af0c54a755d4162ac7e4c467fad12ca7b69b314500cfee4507029c7e0d9b37482e46c730647f5669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugga.exe

Filesize
111KB

MD5
bacfd961b68ed84e205b763bbeb6c07f

SHA1
93305c6663d0a559e6efa29b046146494932067c

SHA256
3baa592c20ea36355276fd2447e105d3761376aef7e5d0cbb5cd041bc3836bd4

SHA512
f20c5fa031fe8964db13a064a71bd678a3970e10f134c96ca2efaf184bd571f5cb0f41f2acce763088bbbf2e3dd5e1d730fc635c8e064fd0b31907227c452367

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoYY.exe

Filesize
153KB

MD5
d350c5486f0e5085c7d09d9ced4e5fd3

SHA1
b60a2dd78e6b64f5257bb53f3b4b3bf46260c5c4

SHA256
52b6d8fcc3cd95f7e034b53751d73d4326d52f2d6d717fe2d570237586c1e5ce

SHA512
420310d45dc095e94c3b8bba3c0e1bc4f6cf3ca68f250351a786e23cd122e11118551786c4435af38dc18648cfb51aedf5cce33e0db9e741a4d3186d3585448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwI.exe

Filesize
112KB

MD5
99111d60f47b3ef46b637c7ab5eb2575

SHA1
44e86a7c0fa9f43dd441ace9b628604b4b92588c

SHA256
020b09cd2eb1f455f82388356e795e210a9867bd3e391a342ba6415e705368aa

SHA512
6f4fd4363256ea9b50e6f791bf0bd0f3dbf032aa181309b30e2c6f910489d3cdcbce1f80b93bd45a7aba0ea91881067f7c0bb71e2e6dd11b17c2f85534a616b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUAwkscQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\woMC.exe

Filesize
697KB

MD5
adf32301e9444fc4b508118a5748c54e

SHA1
75e96cda4e89115d280e48f476c667532169d2a1

SHA256
cbecfd872b6e584f74da4bf777a1ad3ebfe7ecb55469671d986bd4adefac719b

SHA512
5b9d108f0b3d661b5a1301bcca9701d6836efb06e8f9476f1fc5a3a17494d5a38b198bb6cc0bccfc89f0d221a2fbd6fcafcb43bb1f9bc53760ef0f33a779cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\woYS.exe

Filesize
564KB

MD5
17c0112286e4bd3dbe6088e1897b0b4a

SHA1
86ae374d4b3e1e438f778dd7d22282ce714ae7ed

SHA256
dfae11e4bd8547f5381b5ed1b0be0fdcb2089d37c7cda4eb4289c7c03e7a9bf7

SHA512
d43c9392e1fc52d32fe33e472d6929d7926cb30aeb4e2622d8d2f75cd657add77c2d66684989eab381475ee969596ea8e65a927494a6cfc81fa057c0bfc5c6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIcy.exe

Filesize
236KB

MD5
237fb5bb60f2091733f2401924ff4c5c

SHA1
2e938fefbafdc724821b9ffe809a519f5a714a7a

SHA256
89bb4b304082d8fc77f2341418910ccbd6e1edf6e7a7bf3c813a959ff194945a

SHA512
5b0be57faa5784c091a2a27df58dc2e54d35cb81aceb86953366fc797dc367eb97ab2b05f97dc6f989c3b8c537602060ec238464f4235c9b0afe0d87c5bc5ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygEQ.exe

Filesize
111KB

MD5
824c478f9ac114bb27689c5badee425b

SHA1
b0aeed9d2a43d087cea7bb5afc9dd16c47ba0399

SHA256
f30ecbd4fba71854737509ef0e32dac6448f372080f69bdda8f0b4a8ec398559

SHA512
54fe563afa6a03b530d04b1cde46e4078ba53c931c614429efb7cd211daa7b0c120190d5f50af48336dc56787d076b5b8d0d1698e531c83f880699c69b85228b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykEm.exe

Filesize
721KB

MD5
347f468233ad14428e86fe5a345aa121

SHA1
c88790c85dfda3d2a9e9eab99191de38e89bd541

SHA256
6c7fcddea444d91834fb5e692355d0675b99695fadc14d8e3cdb35bca11756fb

SHA512
cfeecda4963258878479a3c97d4e6ae3f335bff307df2339614b82404bb8e70e4243a679a26991727c1b6e0f3307b852a61fbabbdd7c60936354c16978e0b7a9

Download Submit
C:\Users\Admin\zAcgkwsk\ZuwcccMg.exe

Filesize
109KB

MD5
8add9ad23c8773ccbd3ba7cfb01d4f36

SHA1
68d2edb7a632c5635851cee7b1ba4983baad4ed9

SHA256
d19aa95afaea3d555f6c1c2b095fc24f861ae11945b89004e2b72eaf207a74e2

SHA512
b63b9bd04028e01f04fc9fc1c3cb13220008bcb72289d98cc72dd73d1490bfd4a710fdc7f9a1664248e1fd86540ba3844a2560c686d47c34963cd1b5e2b4f944

Download Submit
memory/32-241-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/32-644-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/212-300-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/212-292-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-1462-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-1512-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/628-318-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/628-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/684-449-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/924-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/972-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1016-1831-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1212-425-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1224-208-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-1704-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1724-417-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1880-343-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1888-1015-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1888-1626-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1960-259-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1960-267-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1960-1179-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2156-580-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2320-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2320-105-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2344-175-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2412-197-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2796-392-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2844-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2912-301-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2912-309-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2916-1369-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2944-433-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3104-952-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3104-394-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3104-401-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3248-851-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3468-186-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3580-473-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3620-164-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3660-507-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3660-530-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3676-645-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3676-709-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3796-1078-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3868-490-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3868-482-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3888-109-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3888-219-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3948-1548-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3952-481-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3996-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4024-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4028-457-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4032-368-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4032-376-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4052-1461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4052-1399-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4056-131-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4176-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4192-1827-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4236-250-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4316-498-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4352-258-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4352-249-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4356-441-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4380-1753-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4380-409-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4388-506-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4436-367-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4552-359-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4564-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4604-1242-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4616-351-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4632-283-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4732-465-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4796-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4896-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4924-787-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4948-902-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4948-852-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4956-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4956-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4960-327-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4960-335-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4996-230-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5008-384-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5028-317-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5068-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5068-1248-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5068-1306-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5080-153-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5080-291-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5116-1128-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download