7d6ee85156ce834c94f351810ac4a457bd7551be29fdc202e5b6c4abde9f7474

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8593471e2db25971f5519849555e6550N.exe
Size

201KB
MD5

8593471e2db25971f5519849555e6550
SHA1

f3a579a1fa3bc08637b6aac771625167eb663601
SHA256

7d6ee85156ce834c94f351810ac4a457bd7551be29fdc202e5b6c4abde9f7474
SHA512

dd031faf72e235afc618f346c530d99b4e259536bd059b26dd686060304c6eda0cc4066971b211ce67bc773f2457245a2695554e983b7ab3097cac9ff5a7cf0b
SSDEEP

6144:J1dpkFTr3x166z1pgOjQhx5ZH5l8biJ8ex1GSI7V2Jqe:dKRrz1pgOjQhx5ZH5l8biJ8ex1GhEAe

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	JSkYEcMw.exe

Executes dropped EXE 2 IoCs

pid	Process
896	pAcMggcw.exe
3088	JSkYEcMw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAcMggcw.exe = "C:\\Users\\Admin\\eCEgMsQo\\pAcMggcw.exe"	pAcMggcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pAcMggcw.exe = "C:\\Users\\Admin\\eCEgMsQo\\pAcMggcw.exe"	8593471e2db25971f5519849555e6550N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JSkYEcMw.exe = "C:\\ProgramData\\SkUEYEkQ\\JSkYEcMw.exe"	8593471e2db25971f5519849555e6550N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JSkYEcMw.exe = "C:\\ProgramData\\SkUEYEkQ\\JSkYEcMw.exe"	JSkYEcMw.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	JSkYEcMw.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	JSkYEcMw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8593471e2db25971f5519849555e6550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4472	reg.exe
1980	reg.exe
5052	reg.exe
4512	reg.exe
4956	reg.exe
3592	reg.exe
800	reg.exe
3820	reg.exe
1280	reg.exe
444	reg.exe
2464	reg.exe
3312	reg.exe
424	reg.exe
1372	reg.exe
1392	reg.exe
2100	reg.exe
4624	reg.exe
1196	reg.exe
2552	reg.exe
4772	reg.exe
2412	reg.exe
3372	reg.exe
1828	reg.exe
3616	reg.exe
3864	reg.exe
5012	reg.exe
2732	reg.exe
1296	reg.exe
1752	reg.exe
4500	reg.exe
4432	reg.exe
3848	reg.exe
1828	reg.exe
2120	reg.exe
4392	reg.exe
444	reg.exe
2400	reg.exe
2976	reg.exe
3576	reg.exe
4956	reg.exe
2892	reg.exe
4324	reg.exe
1916	reg.exe
3108	reg.exe
5012	reg.exe
4344	reg.exe
3888	reg.exe
3384	reg.exe
744	reg.exe
4296	reg.exe
1536	reg.exe
1300	reg.exe
3996	reg.exe
3000	reg.exe
744	reg.exe
1772	reg.exe
4624	reg.exe
4516	reg.exe
1028	reg.exe
4056	reg.exe
800	reg.exe
4936	reg.exe
4784	reg.exe
3312	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5040	8593471e2db25971f5519849555e6550N.exe
5040	8593471e2db25971f5519849555e6550N.exe
5040	8593471e2db25971f5519849555e6550N.exe
5040	8593471e2db25971f5519849555e6550N.exe
4124	8593471e2db25971f5519849555e6550N.exe
4124	8593471e2db25971f5519849555e6550N.exe
4124	8593471e2db25971f5519849555e6550N.exe
4124	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
1752	8593471e2db25971f5519849555e6550N.exe
1752	8593471e2db25971f5519849555e6550N.exe
1752	8593471e2db25971f5519849555e6550N.exe
1752	8593471e2db25971f5519849555e6550N.exe
3084	8593471e2db25971f5519849555e6550N.exe
3084	8593471e2db25971f5519849555e6550N.exe
3084	8593471e2db25971f5519849555e6550N.exe
3084	8593471e2db25971f5519849555e6550N.exe
928	8593471e2db25971f5519849555e6550N.exe
928	8593471e2db25971f5519849555e6550N.exe
928	8593471e2db25971f5519849555e6550N.exe
928	8593471e2db25971f5519849555e6550N.exe
3868	8593471e2db25971f5519849555e6550N.exe
3868	8593471e2db25971f5519849555e6550N.exe
3868	8593471e2db25971f5519849555e6550N.exe
3868	8593471e2db25971f5519849555e6550N.exe
5104	8593471e2db25971f5519849555e6550N.exe
5104	8593471e2db25971f5519849555e6550N.exe
5104	8593471e2db25971f5519849555e6550N.exe
5104	8593471e2db25971f5519849555e6550N.exe
4396	8593471e2db25971f5519849555e6550N.exe
4396	8593471e2db25971f5519849555e6550N.exe
4396	8593471e2db25971f5519849555e6550N.exe
4396	8593471e2db25971f5519849555e6550N.exe
5008	8593471e2db25971f5519849555e6550N.exe
5008	8593471e2db25971f5519849555e6550N.exe
5008	8593471e2db25971f5519849555e6550N.exe
5008	8593471e2db25971f5519849555e6550N.exe
2636	8593471e2db25971f5519849555e6550N.exe
2636	8593471e2db25971f5519849555e6550N.exe
2636	8593471e2db25971f5519849555e6550N.exe
2636	8593471e2db25971f5519849555e6550N.exe
4708	8593471e2db25971f5519849555e6550N.exe
4708	8593471e2db25971f5519849555e6550N.exe
4708	8593471e2db25971f5519849555e6550N.exe
4708	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
3108	8593471e2db25971f5519849555e6550N.exe
2464	8593471e2db25971f5519849555e6550N.exe
2464	8593471e2db25971f5519849555e6550N.exe
2464	8593471e2db25971f5519849555e6550N.exe
2464	8593471e2db25971f5519849555e6550N.exe
1640	8593471e2db25971f5519849555e6550N.exe
1640	8593471e2db25971f5519849555e6550N.exe
1640	8593471e2db25971f5519849555e6550N.exe
1640	8593471e2db25971f5519849555e6550N.exe
4796	8593471e2db25971f5519849555e6550N.exe
4796	8593471e2db25971f5519849555e6550N.exe
4796	8593471e2db25971f5519849555e6550N.exe
4796	8593471e2db25971f5519849555e6550N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3088	JSkYEcMw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe
3088	JSkYEcMw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 896	5040	8593471e2db25971f5519849555e6550N.exe	86
PID 5040 wrote to memory of 896	5040	8593471e2db25971f5519849555e6550N.exe	86
PID 5040 wrote to memory of 896	5040	8593471e2db25971f5519849555e6550N.exe	86
PID 5040 wrote to memory of 3088	5040	8593471e2db25971f5519849555e6550N.exe	87
PID 5040 wrote to memory of 3088	5040	8593471e2db25971f5519849555e6550N.exe	87
PID 5040 wrote to memory of 3088	5040	8593471e2db25971f5519849555e6550N.exe	87
PID 5040 wrote to memory of 4652	5040	8593471e2db25971f5519849555e6550N.exe	88
PID 5040 wrote to memory of 4652	5040	8593471e2db25971f5519849555e6550N.exe	88
PID 5040 wrote to memory of 4652	5040	8593471e2db25971f5519849555e6550N.exe	88
PID 4652 wrote to memory of 4124	4652	cmd.exe	90
PID 4652 wrote to memory of 4124	4652	cmd.exe	90
PID 4652 wrote to memory of 4124	4652	cmd.exe	90
PID 5040 wrote to memory of 1612	5040	8593471e2db25971f5519849555e6550N.exe	91
PID 5040 wrote to memory of 1612	5040	8593471e2db25971f5519849555e6550N.exe	91
PID 5040 wrote to memory of 1612	5040	8593471e2db25971f5519849555e6550N.exe	91
PID 5040 wrote to memory of 5008	5040	8593471e2db25971f5519849555e6550N.exe	92
PID 5040 wrote to memory of 5008	5040	8593471e2db25971f5519849555e6550N.exe	92
PID 5040 wrote to memory of 5008	5040	8593471e2db25971f5519849555e6550N.exe	92
PID 5040 wrote to memory of 4928	5040	8593471e2db25971f5519849555e6550N.exe	93
PID 5040 wrote to memory of 4928	5040	8593471e2db25971f5519849555e6550N.exe	93
PID 5040 wrote to memory of 4928	5040	8593471e2db25971f5519849555e6550N.exe	93
PID 5040 wrote to memory of 4740	5040	8593471e2db25971f5519849555e6550N.exe	94
PID 5040 wrote to memory of 4740	5040	8593471e2db25971f5519849555e6550N.exe	94
PID 5040 wrote to memory of 4740	5040	8593471e2db25971f5519849555e6550N.exe	94
PID 4740 wrote to memory of 2340	4740	cmd.exe	99
PID 4740 wrote to memory of 2340	4740	cmd.exe	99
PID 4740 wrote to memory of 2340	4740	cmd.exe	99
PID 4124 wrote to memory of 3408	4124	8593471e2db25971f5519849555e6550N.exe	101
PID 4124 wrote to memory of 3408	4124	8593471e2db25971f5519849555e6550N.exe	101
PID 4124 wrote to memory of 3408	4124	8593471e2db25971f5519849555e6550N.exe	101
PID 3408 wrote to memory of 3108	3408	cmd.exe	103
PID 3408 wrote to memory of 3108	3408	cmd.exe	103
PID 3408 wrote to memory of 3108	3408	cmd.exe	103
PID 4124 wrote to memory of 2948	4124	8593471e2db25971f5519849555e6550N.exe	104
PID 4124 wrote to memory of 2948	4124	8593471e2db25971f5519849555e6550N.exe	104
PID 4124 wrote to memory of 2948	4124	8593471e2db25971f5519849555e6550N.exe	104
PID 4124 wrote to memory of 4796	4124	8593471e2db25971f5519849555e6550N.exe	105
PID 4124 wrote to memory of 4796	4124	8593471e2db25971f5519849555e6550N.exe	105
PID 4124 wrote to memory of 4796	4124	8593471e2db25971f5519849555e6550N.exe	105
PID 4124 wrote to memory of 4524	4124	8593471e2db25971f5519849555e6550N.exe	106
PID 4124 wrote to memory of 4524	4124	8593471e2db25971f5519849555e6550N.exe	106
PID 4124 wrote to memory of 4524	4124	8593471e2db25971f5519849555e6550N.exe	106
PID 4124 wrote to memory of 4956	4124	8593471e2db25971f5519849555e6550N.exe	107
PID 4124 wrote to memory of 4956	4124	8593471e2db25971f5519849555e6550N.exe	107
PID 4124 wrote to memory of 4956	4124	8593471e2db25971f5519849555e6550N.exe	107
PID 4956 wrote to memory of 4544	4956	cmd.exe	112
PID 4956 wrote to memory of 4544	4956	cmd.exe	112
PID 4956 wrote to memory of 4544	4956	cmd.exe	112
PID 3108 wrote to memory of 3740	3108	8593471e2db25971f5519849555e6550N.exe	113
PID 3108 wrote to memory of 3740	3108	8593471e2db25971f5519849555e6550N.exe	113
PID 3108 wrote to memory of 3740	3108	8593471e2db25971f5519849555e6550N.exe	113
PID 3740 wrote to memory of 1752	3740	cmd.exe	115
PID 3740 wrote to memory of 1752	3740	cmd.exe	115
PID 3740 wrote to memory of 1752	3740	cmd.exe	115
PID 3108 wrote to memory of 3576	3108	8593471e2db25971f5519849555e6550N.exe	116
PID 3108 wrote to memory of 3576	3108	8593471e2db25971f5519849555e6550N.exe	116
PID 3108 wrote to memory of 3576	3108	8593471e2db25971f5519849555e6550N.exe	116
PID 3108 wrote to memory of 588	3108	8593471e2db25971f5519849555e6550N.exe	117
PID 3108 wrote to memory of 588	3108	8593471e2db25971f5519849555e6550N.exe	117
PID 3108 wrote to memory of 588	3108	8593471e2db25971f5519849555e6550N.exe	117
PID 3108 wrote to memory of 1652	3108	8593471e2db25971f5519849555e6550N.exe	118
PID 3108 wrote to memory of 1652	3108	8593471e2db25971f5519849555e6550N.exe	118
PID 3108 wrote to memory of 1652	3108	8593471e2db25971f5519849555e6550N.exe	118
PID 3108 wrote to memory of 4008	3108	8593471e2db25971f5519849555e6550N.exe	119

C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
"C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\eCEgMsQo\pAcMggcw.exe
  "C:\Users\Admin\eCEgMsQo\pAcMggcw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:896
- C:\ProgramData\SkUEYEkQ\JSkYEcMw.exe
  "C:\ProgramData\SkUEYEkQ\JSkYEcMw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
    C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        8⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        10⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        12⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        14⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        16⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        18⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        20⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        22⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        24⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        26⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        28⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        30⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        32⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        34⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        35⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        36⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        37⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        38⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        39⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        40⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        41⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        43⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        44⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        45⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        46⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        47⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        48⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        49⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        50⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        51⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        52⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        53⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        54⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        55⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        56⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        57⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        58⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        59⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        60⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        62⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        63⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        65⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        66⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        67⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        68⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        69⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        70⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        71⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        72⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        73⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        74⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        75⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        76⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        77⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        78⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        79⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        80⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        81⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        82⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        83⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        84⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        85⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        86⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        87⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        88⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        89⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        91⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        92⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        93⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        94⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        95⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        96⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        97⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        98⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        99⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        100⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        101⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        102⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        103⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        104⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        105⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        106⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        107⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        108⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        109⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        110⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        111⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        112⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        113⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        114⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        115⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        116⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        117⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        118⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        119⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        120⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        121⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        122⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        123⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        124⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        125⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        126⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        127⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        129⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        130⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        131⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        132⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        133⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        134⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        135⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        136⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        137⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        138⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        139⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        141⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        142⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        144⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        145⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        146⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        147⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        148⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        149⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        150⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        151⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        152⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        153⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        154⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        155⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        156⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        157⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        159⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        160⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        161⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        162⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        163⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        164⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        165⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        166⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        167⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        168⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        169⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        170⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        171⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        172⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        173⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        174⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        175⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        176⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        177⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        178⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        179⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        180⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        181⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        182⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        183⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        184⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        185⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        186⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        187⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        188⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        189⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        190⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        191⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        192⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        193⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        194⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        195⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        196⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        198⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        199⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        200⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        201⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        203⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        204⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        205⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        206⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        207⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        208⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        209⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        210⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        211⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        212⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        214⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        215⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        216⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        217⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        218⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        219⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        220⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        221⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        222⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        223⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        224⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        225⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        226⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        227⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        228⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        229⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        232⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        233⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        234⤵
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        236⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        237⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        238⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        239⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        240⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        241⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        242⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        243⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        245⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        246⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        247⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        248⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        249⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        250⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        251⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        252⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        253⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        254⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        255⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        256⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        257⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        258⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        259⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        261⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        262⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        263⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        264⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        265⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        266⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        267⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        268⤵
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        270⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        271⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        272⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        273⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        274⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        275⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        276⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        277⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        278⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        279⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        281⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N"
        282⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe
        
        C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N
        283⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSwcscUs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        282⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgsEgcww.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        280⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        281⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        279⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qegQIQUA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        278⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMAYgQog.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        276⤵
        
        PID:1380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOIswwQM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        274⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeQsogso.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        272⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LScsckcw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        270⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        Modifies registry key
        
        PID:444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyUIgYQk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        268⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaYYwAAM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        266⤵
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEYAowoM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        264⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEwMgAcg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        262⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmEsQYUY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        260⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSMQswgw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        258⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        Modifies registry key
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwwgIQQg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        256⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgwcEMko.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        254⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        Modifies registry key
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCUwsgks.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        252⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqkMUIkI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        250⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oewIgQYc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        248⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIsoYEoA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        246⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmskMosk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        244⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JswgYQQI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        242⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGcEMYcY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        240⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaMUoIQk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        238⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQccUgQE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqEgMEww.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWAoccww.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        232⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nywkgIwo.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        230⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsUAkwwo.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQowgcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        226⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUsYoMgU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        224⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEgAQgoE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        222⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIccYIIA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        220⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQYoAEwY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        218⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LissUEQg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        216⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BecAQAQY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        214⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEEYYYE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        212⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGIIMsQU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        210⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuIIMoQI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        208⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyoEEIkc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        206⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAYUMkgM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        204⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgAsAccI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        202⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyoUEEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        200⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKEwocco.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        198⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYgIwcco.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        196⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqUcYwwc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        194⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoYUYgQg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        192⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqIMUQoE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        190⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYgUYIQA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        188⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoEkscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        186⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiUEUgkE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        184⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USkQYYQE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        182⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEoQQIQM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        180⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSsUEwwk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        178⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkIMUMgw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        176⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeMsQMog.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        174⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMUksEIc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        172⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oykUAcAc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        170⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soAAgwYM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        168⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cscEYAoE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        166⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEEYYMck.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        164⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rakEUQoY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        162⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByIAsEUA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        160⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IasoIQME.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        158⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScsEAEkA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        156⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YccksQgM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        154⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGQsQUsI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwgAkMMs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        150⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQokosow.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        148⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAksIIIc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        146⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwUkQokc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        144⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuIwQYEc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        142⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUEwUUgA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        140⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaYsoIEI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        138⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwIEYEEM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        136⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAsMIsM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        134⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\resYQAkU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        132⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuwoQMYU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        130⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OegYEEcA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        128⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQAIUkcU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        126⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGoEkwgk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQwsQkYw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rigsksMY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        120⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAMEwMgE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        118⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAswMkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        116⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsgYkEwU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        114⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUsUAEsU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        112⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGEoMQMs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        110⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSEocokw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        108⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCgsgIYE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        106⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIIkAsk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        104⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqwAgIwA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        102⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fisQkMQc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        100⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCIYggcQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        98⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIwcwYck.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISUIsIkc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        94⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMsgkMwU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        92⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWgwwskc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        90⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYsAcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        88⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWQAYwQg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        86⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REYkooYI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        84⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMUIgcAs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        82⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWkMYIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        80⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUAswgww.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        78⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIccEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        76⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwoggwUE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        74⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKwggkcM.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQooQAYA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        70⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sikgIoEs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        68⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyYkkcEw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywUsEwMA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        64⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqkAEwow.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        62⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAsgAoA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        60⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEcYkggs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        58⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaYAwYUI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        56⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIEcQcsg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        54⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEYkckkY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        52⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWQowEMs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqgMAAAg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        48⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsooUQYs.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        46⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zswEMkwk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        44⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkwcUskI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        42⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eScIkoYw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        40⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScEkAAoo.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        38⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwEYAUMw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        36⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQcYUIQI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        34⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQQEcUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        32⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuoEkEsI.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        30⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCcQMIEY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        28⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCYIwcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        26⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIAwAsUE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        24⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koEAoQYc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        22⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAgYwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        20⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmggcAEE.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        18⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pskcwAQg.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        16⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaYQMQYU.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        14⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DisIMIgw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        12⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWQUYEUY.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIsocQQc.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        8⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4160
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3576
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:588
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoQIooAA.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
        6⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISskkUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5008
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiAEgEEw.bat" "C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
219KB

MD5
9fb6c9130a79be4ff0fd989f2be21389

SHA1
26e3f37c2cd4aa94b41b6379099eb727fd66effe

SHA256
ebeafbe84b746289adf830575691f0d64f4076e1941b0da2578ef0d8e36fc41b

SHA512
5d099e773176cfd852a7a37db379a8998390004a1d6086d22d39e10f9366b4c08e5c0b239dcf73f37ca802b1c35347fd2b154cdd64a31ecb15a55f38a36625a7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
233KB

MD5
7dd8f108176ae4be0def4db10ae09fa2

SHA1
2e29cc8dceb214ac12b7575839c44bc8b2be1032

SHA256
406903a2dda51d14bfde9f543b67b03abe502d4fec75b11c056717fac4fcbcd6

SHA512
cf2da977c99c340a7afe44b4b66ba6fc07aee08701e6f0cdac2a8be6747c6f90268842026db3c1878bac4c756314650eb7d9036633ee59b6af2c9ddce4652845

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
204KB

MD5
eb0c01efa972350f68c75b9faebb402e

SHA1
7eb4fd1684af08979d77a575791a064909203562

SHA256
14e55ff9c97b1e409adf88982c572eb8597135ad6140aaaef4dc6fc14f5c1200

SHA512
76f0ffb7b85bc744a8ddf1422ca737f41a36df5c131ed3f6fcc07ca8260687cb0c5ba0e1f6f1f3bf6c15fb2a695b881c01262275d76b7972ceb10aa7e5ea02c5

Download Submit
C:\ProgramData\SkUEYEkQ\JSkYEcMw.exe

Filesize
180KB

MD5
76e49e9f95973cdf5f4905b270e2073f

SHA1
ecf6bb5a6c7d0cb5d4cd4f742a4b6996795b7ebd

SHA256
e90d8cf58360cf576461595d90362e7bbf24675703839973914052c84302d3e8

SHA512
6d2c61cd84504aa045f2aa657355389d2e99cb473cbc9f53d76a0a039d70fbeca7366bf0c1cd06389665cbe00bda3155df4ad501b2f507e27cf04a35b641dbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
203KB

MD5
c90e9bc7a90a778c11cbdb1c8ce8f38f

SHA1
7825c4c2e7ae3c34038f748a28c734b026c2144a

SHA256
30615d3080b161c2766774aa344ceda6eb802e3c0336e7218aa70594a7f2ed5b

SHA512
2a561350a1fd231dfee318ef3d063faa2056d2ef06097db22c30d3f741f6f35612c72605d2b839a932e8247dc190e678d69ffe1475ba47f4eb5ae3ce18ff7638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
197KB

MD5
dd2ebdbf519594a397ce6e155b7b2df5

SHA1
f2fb62f39229df1611773370214e84f452b5dff0

SHA256
de883b99710ce1ac5b8820ded0bd4a8c3f48ea992de2a72c86089f027de3ddb3

SHA512
bee0cf8bec420521d5e78ab830541386e40656ce313878c30d5be2e41928fa9970675e5aa6966fe17b79511180aa63ab99f120a32634226b5a59335594d21943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
197KB

MD5
cd5eb855f9fd25b20bae399b9b59a829

SHA1
7edb16f5252183742643cb2f4421073b74dde067

SHA256
0a0a512c9a7fda3f7aaf407a0eb335fde1fb7cd14e84423e02d44fa5366731a4

SHA512
30fad2066ea9a654908c50a151c7e584152abf682f3dddff331b9e15ae072e71e7c1da7b996c2d51a15097e632a239ca43473ce64af856ff47537680071fbfba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
188KB

MD5
6aef24957f20d82514b290302a4ee21b

SHA1
05ef1db45d2017f778fa62bd75ed0bdcd18cc366

SHA256
3d6296a74aae989b966e45f8d9ad48fc306c78b2c30e2a63a5629176304d2a8a

SHA512
01749f888f85f53de4cd5f40f65731795f59475fab79802bd236048eb5d5838c65ecb7bad4aaccc56791debe6683d4ca20bd425f673d4a0762f315c0c03a2361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
199KB

MD5
5284b97baae4a22e9b789c48df259937

SHA1
87ca32f244b5e8d9aaf499b4327446523acc4502

SHA256
cd2d70f179a13f0951c1ffc24983048847da3109e6af6ea646d5d336c3a66415

SHA512
c8ae644877b7cf40de276e88febd7a38318b06d9eb0140ad04e497369722b6592ddd9a697597ab4aa873824f814aaf79a4fdb998fef68323c6898fdecdbf3285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
191KB

MD5
ccd9b27de67bc4df8333be2e2e5b9ddd

SHA1
8b869640f5c89475b64545e36f908db856dd5223

SHA256
42657eabd08431def753d699c6b4595536e6b4aac21f00e601ccbc900c685688

SHA512
72ec529aaedd989a1137f0e4c559c69e29e293a477e33fc024b7e7c5f8f4319ac086734b8326e44f82688ee05528ab3c023b8c7dc547e6927ff822c3ca5ee13b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
580KB

MD5
56fad91a43f42fa7d97706b250be4eeb

SHA1
cf23293d8660cf63393c4a0b01347d5c9490b1fc

SHA256
fffe55960a0bd28e92bc38453ad8347d29b80b981df91c44b9f3db35753da2cc

SHA512
23dfd15057121b2c17b51a74b62383652a78d2800541595cd85103c53a282ea02ad261234a88648d59ca65071236eb493e0d9ac5bb4746b5b0d1431f1f14a192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
193KB

MD5
a7bbc3f9353a1873e5a95a7cc75851ea

SHA1
42a7b7f799988320012d73f2d2ff3eaa21a9f78b

SHA256
7d19dbe7d7ece45d7ce04ac9b853a7ef9be2c5255d7afa5ba4eae4bb9845a188

SHA512
45c023f01774b2d5afda992c18d7fd15c8100275e0c71187051a7e23e4b7d567b9bd8136b6e2b94694eaa755e711cba9ea477eeda0d22ca4bad5628464ea7dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8593471e2db25971f5519849555e6550N

Filesize
2KB

MD5
598ea3255fb276209072332552903ed8

SHA1
ccd234d34d488634569a4064a65d643e070e80ed

SHA256
fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550

SHA512
3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMYE.exe

Filesize
206KB

MD5
eb8877e07c8ff5fc431f20b9435e2edf

SHA1
67007f9cdc4576a5bd9c8586e157345f0ccbab2e

SHA256
868217abfcd1a82977cac55c9ef9f6de0efa4fcc2255a5c34027c29858d931fb

SHA512
f7e2158ca58d3e791773e68626ac65a915ce2dae7369af47fb75e2303224ca25f4a7a304836099d601e2e8297ac21658aee4b8dcc46281cd9c5cf85c0796e1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMsi.exe

Filesize
204KB

MD5
3c9354d21674d89f34eea69839bbd862

SHA1
0a2eee181e20b403af5407ac1475b20671884f75

SHA256
0f5a73688562edb67fdb03a527c23a8513d0a8a66055812cbfcc3c2e0be3202e

SHA512
eaf29c07036d4a6fda67db440a83013e7c652748593e68d517b46810c2df9a3e917d7ef906dcabde7e7988572a810c44ba600850aabf98e537931b4fb0bc0259

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akoi.exe

Filesize
773KB

MD5
d0dd88bbbf80fe0cd811b283e154a6dc

SHA1
31b9bd188f49d7c0cf7f6a4c1574e085949d202c

SHA256
7524431d8e8d63f5ec9e66187231e0c98bd514f8395407a4d066c923b60cba13

SHA512
a6691847d1d602fdb1f6ccbd96f9d3cfa17c9ef6b41943ab89057d93616774f6eba2e4e5bc7fe164d4a7249bc6061750d51b40ba0dba0a52d5c30a7e422c77cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIa.exe

Filesize
5.9MB

MD5
57e749d089961b5c97bfcd65380e2f93

SHA1
9db25c2e0e49cceebb028479a722a496714a16b2

SHA256
81c93d445f10336f8e62d0dbdc76ddf6b9a97e59304256ea9ff406b827afa308

SHA512
ee39cc0884b5f5ea0a01d3fc31bdbb40228ad0304f522f4f8205eaaa38b6ca905857133fd69d960a66787982edde1841570ac27431cf5cb1f9413283a85c50c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQYm.exe

Filesize
450KB

MD5
7afdf08a272ef36234bc4730a531ec57

SHA1
973e7f159cfda0ee5cd1492d38922e34ac84b6fe

SHA256
4bc0d80da86dea61510f177b726a7b01359eb603d51e429406d9385afddf8775

SHA512
d46e4d3aa4a08518eee4e6c901d36e536f2fe88c66b5dc87288ace26a4d3455d0557801951b56c4897e0119ddfc07bcd39d809c1c3e94b8ff3bbe1de8fe6971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccsi.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMk.exe

Filesize
194KB

MD5
5c51e24376adba482a203f19bbfeac83

SHA1
4d20030668fddd598adef6eccb1e5005f0920a87

SHA256
8378db3f9a73ebc403966ab94debc1ec69a3ae4dd87986f784db3e56b96d20d8

SHA512
85aecac2756c9464c872033430ccc3c0a73c0e865712e167c49b2951ffdbc5de662add325268ca96bbdb26c38d02ed30e42ebabd3e18bd090e004d705fadce0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgUQ.exe

Filesize
540KB

MD5
314d24c25e6390d4f8675bab3f942628

SHA1
9b5b4d053a9c369c69826432af863a1f88e366ac

SHA256
9ee65ffefb278f4bd8a188a40987c1b64fb390792a834143bf6ec61482410db6

SHA512
1f5bd2e3d238a3929beb5b6d391b7aedc9448c474f090568dff564131dc386307043d11a2ff2b30d683aa77d811eb715081f2000136c57f2599b850560e9fa7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgUi.exe

Filesize
188KB

MD5
5a7c001e89c8987c210ea22e7e361ffc

SHA1
337970d74c6e1bec2ab152d2c81d04edf4c55f44

SHA256
84248226491c137f737126868db6ac63fd4049d00eee75b742b3cdb393c602ea

SHA512
cf65b4e1ca5b937ff977581b5d363a0e6346f06695510988f2ad345181d9a0e43ef6f075ccaf5f8f39cc53f7b86eb179be24c7e348bd5bd8c4f690105f2c4916

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsAY.exe

Filesize
208KB

MD5
aa1bd974e63ce96734ae7e2169dbeae1

SHA1
add8350ace92615de3bba51dc432117f7ea1d61f

SHA256
b59548ab2390f313400896b0b391f63a3704c442e49e1e053112c53413bf1780

SHA512
72092b26edb2d98ed73b35e11c2cefe4fe073b4a9cbb533567fa42d67d2cbb3eaa88bad91ea77f7409040054b164366eeb7943c3ab6410c583b4107b92250033

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYa.exe

Filesize
214KB

MD5
a89ea1835f9a68823876e6e230fbfaae

SHA1
864a388e859676f0d1807d94c4a76bc7dc7aa893

SHA256
9ed47434193d83ca6ae9537d611205fad4edb9894e2ec9ffd2a7cc572596c282

SHA512
98b57f140b3f3b15a14786457a0d21c2d0fa7a68a83f81a516ba17cbd24d6aa04e71630e23bb938b1ee780194a43bd4456236b0bd120ac4dda21e85b1d802622

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQoi.exe

Filesize
522KB

MD5
a8291e5a9163c64a86cd040bae7d02cc

SHA1
68cfcb18f0d2302dfaf391aef86590b6449770ea

SHA256
0fdf39dace21ea7d764dd746b1d511d01092e27c6faf986e816149ef32170b14

SHA512
bb2c527dce15f58e45167d5af3ac1d4c08489eb11ad9a311785cd7e9488edee13db57162b0c73c4067c4e38bf88eacf673a3abffe56a2cd1c849bdae69399b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUAg.exe

Filesize
1.4MB

MD5
367be16c626672f1012a0ad03bf92230

SHA1
1cf7bb6cbb62b550a5cb1b184d86fe505f170c2a

SHA256
5dfdfb1a1b5c62ef3a92d785971803c7eb55dbcc18381cabbf6eb9dda610caa8

SHA512
74e16d4b2c50b24d7790d7558e9171f8e8db3ce975acbe9585dc3cc614eef0375e7b02bebf5f2aae48f8937adf31d461770d92894c2b66917fe5525356f1804f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUEi.exe

Filesize
198KB

MD5
b84ba7e0838f5e0c89e9e6f6d7fb12c0

SHA1
a1755e5a67cbdc713844b7c8e8a013df46dd9889

SHA256
a92eb3733a124d3b2718d692a07b8fe0e4ebd702d0c288d5eb2c8acdd04e2e6c

SHA512
1566c3028392a348c99b1bd734f6ffca75cec0ac3ea6f779dd274838dbf553b6d4a83f278092bd7d714769617198a58d69887271c632f52ad975628764d33e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUo.exe

Filesize
188KB

MD5
583716fb6b81bb3bf1f1d275d1cff167

SHA1
6964928e511c50e5701295f6cc71698efbbc0d29

SHA256
40c84fec402509f689ba1c6467839837d822ba5009d22e18c6c48e974aea259e

SHA512
dcb6b5d92138528f0af521327157367dbdcdb90a210a279d5ddc067ef115186062e453dea150ff1c25d07bc7c4a7960f062697aeb6b795a0086f18a1c9c867c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUgS.exe

Filesize
189KB

MD5
5f04d9bb2a77cf27142b80a44bb5b9fa

SHA1
7c748956e6447d4bc1b1e62f949a0f6740cb5d77

SHA256
790ab689d125b19e4cbf8440e75140739451362d63578070e8d3bdbc569f7f97

SHA512
9fbba59e4be9b1edb98a12bbd03c8d89608e76207f043a81f6ea8cfe83a04dd4cbb43b54eea0f024f32c851764af5f79f2f50f6de2ce5f983c33e359ae0ed291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEwc.exe

Filesize
205KB

MD5
0252ebda1b6e4cd6e104a30a23294738

SHA1
38cda909623b5c6a79141bf4220c10b9d1b64168

SHA256
fd523c280aea6f701e5a6312ff86404cceb489e130d7b1de6b268765205b61fb

SHA512
cda297f439d1c24b18b5cf54cce0cb24f8fceb0edccca2b50822dcf356de0b9a93a743ccd06870bc67b4bb20329ac2b021139705b3ddb934450c3b2886b5132b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIso.exe

Filesize
185KB

MD5
8b414c81e1329554cbf1f5ae76f398fc

SHA1
94538e4fb9b22bf278cf05adb6c7a35d7f0211a6

SHA256
a7d01e0b51ea9097468a93891ec6fae6637ea51e2328e2836a86768a5752f308

SHA512
0d63421c4a4aec9b946ed3822ac56277137d1140960ecdb04b837b5a31da6a37d66ea57525fa67f3ad99794ffd4149c81d54ffba2e83f76b2b140012695d630a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIQu.exe

Filesize
190KB

MD5
44f7e5e3a16c60025ffe884e69b218c0

SHA1
9c041e0b0c0a91fd837933a6522dddbfa5a16627

SHA256
093d0af88c49c586c08142ae1fa4c79cd02f241e319bf96c6f13c8cedb535039

SHA512
f807e6ec1c7d3c71938f60e6faa19aa4c58912d8b86947dd26dfaf8e167142853c739d744285698769d48f4fb7e63ccbb689c43553127887531b7fe890bb8550

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYsY.exe

Filesize
198KB

MD5
b8626debcfe002304784c51e0ca2b2cd

SHA1
c0c2fbd15a1d0e0f918fbbe2a44466d07321f1d2

SHA256
afdf1af5a53cc21ecb8b9e6bfbdb516202117ae9a1736b217e28099a90f6eb70

SHA512
05d2931a6b7a9532a236a1e4a00573f9ef343a2bd9c7be151db69eea828dcb987b4f5ec2fd519b6f8ca938b7607e22a26df2e7b9579c4aac30ab8be04e8b19c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYwu.exe

Filesize
317KB

MD5
04dab19b75943d6b12f5bb791308f403

SHA1
26222e940f0dcd7974a371280f9990ce26d752c6

SHA256
4d4e77b7f438683f7558d84c3453b5caa3d96ac55c5be8ae1b29e716a9990d4a

SHA512
6e571541f090068562ca67900248f3fd4f608376d573ecf02bd6c2c9ab44180aa3756b74edbd2de6a93e3b1420e10bb7c92ca2f06c8db15f814d47048e1275bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcsw.exe

Filesize
195KB

MD5
e1b2dd930ebb38b33600afe6876fa709

SHA1
1453ec4dee2fa9b618c4b24284a42110547c777f

SHA256
e4dad45221be7adedd1aeb1024016b7b2f00f79858c5a7c41b5926128e76023d

SHA512
a4ae0bea9fd7f8e7f0101ea9dd7cfc5c8eb9f4bc4f8b09d69512a378c4f6bc93fb27330a606b3eb870ea22df203c7d8dbbf0011adf28747c09c169937d50a2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEG.exe

Filesize
203KB

MD5
b1cb0eef8c22d6f3a0765bc6943a9335

SHA1
26d53086a4b190b0dadbeea49adb246b7ebe576d

SHA256
b9bfea599cf4bf3e6a482101e8576fb365dfe336201ac77459397335244a03cc

SHA512
bbfb12ed67188fa049abec7155881aa19c266a65c3f0e5bae452daeac1816b0bf8181847f2414709d43bda6378c64fa03973ffbf32b6f565dec5fc6278c3e645

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEo.exe

Filesize
205KB

MD5
3cf4648a21b3e8800a0735e2c1a946a7

SHA1
d9a9dd536402ccadc39ec8534bceb4d0fc5949c6

SHA256
69c6f0238827356ce8ddf9fa31826cb8e892147bf27083f278c5897b18dde256

SHA512
2a8a5cf733bd6457738dbcc173103a9d1dc39b279ae048a4c8d4ebceb912d17186ee789f60e101ef9c7ae5a32cff316783d486ec3a9b0a963110f277f3e52305

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okoe.exe

Filesize
190KB

MD5
15a98d25860742db2be304d3a6610c02

SHA1
d202187f3141245d187d1eda66d49c0cf1dfccf4

SHA256
20f42c4e14205847fdbd6dfe2e8ae5ef5f49227271c02fdc1d85d8e6a777ec6b

SHA512
608288ff7697af906fda7768ff328980a4f38a0e9fb208abdbae007acdf9c79aad6c251c21cb4807b20b6d7e9cb2a95d2eed27e973d9b99db73d3f8eeba7de79

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAs.exe

Filesize
1.2MB

MD5
daa1f1d3fcdfd718a8bbd3ce4fabce1b

SHA1
a83a72e174ff85bbc4c9e43a6ca120e22c9a2612

SHA256
b64b98145ddbe8e2d9fb0d11ed9ba6e243ff9d31a139745cea8fa587686e8895

SHA512
0c1385eae6f0e5f6fcf6103670426ee86a65d829b92e0a9ea854f9f972ddb0f98f586821b2e313e15fd7636ae3134ddb77b7d8fd643eda52403908f1b8ded2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIkO.exe

Filesize
202KB

MD5
a7987c6215e903eef408d5784bbfdcdd

SHA1
77a115242570d9e0d6126b3cd87bf1e4c29d848a

SHA256
e6ef690f3fa6397e9cbb96aa50ebc122af019409d5a607160c78c64692131ea7

SHA512
4b48e8be40ff35140993fc2d218d8c416c0dbcc3f2bdf9598cf6ae016879171be0fe56588452cbb528abf43c00fce5000bf1b920c4b0890629caa0c333e0671c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkcC.exe

Filesize
212KB

MD5
4d3fd15ff9e0d2cf19cac4519f93ef49

SHA1
2563d703a1f0d2747cf46ed063c223c271438625

SHA256
361194cc9cffc727334f50174d385f8b064537b6c8574eb7e01db7a8145c284c

SHA512
3e93d55dae05c3da8cd014bbb9a987241c0fc35e0e22f0b5360a4f5bcd1a2ae334d1908c39bfc8b9400aab3b5e66963438b5f600fb62e235c49ec5412d818057

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwMS.exe

Filesize
199KB

MD5
5c09e2cc25bdc4f8b75af7f0f9564837

SHA1
2839380b7706a2073654460af7fad45ea16c0b86

SHA256
6cd4eb267ae5377571aaeca16e563c4b08e931c4622094744d2d6fc3e0a1b9f1

SHA512
9f45cebad3e79767283c8193b112133ae77a1967bae2adcf65db0d551bb10adcc6d50278d36b582e070a6d0dd2325311c429d9e1cf95cfa51ec0798e3d445035

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEy.exe

Filesize
186KB

MD5
415be06fcf809b6d9d041e8770ae149b

SHA1
56cf4c23e8db82ea53d677f0955ef56a3f74a2a5

SHA256
651ebe06cc4534bb0500201ac9e0cf0562d36dfd8d5e7c1551f0f88fd58983fd

SHA512
8d2f5d7310cfe024f74214dd11c9fe2f348a7148a090623bb786a976f70efb11d2cf16bfa64fc9e7a3fcd69122f84fe50238b195cdafa14adccb43a58e1c6dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYy.exe

Filesize
204KB

MD5
98a207cd824e2aa58dbaf355d7bec206

SHA1
87ad7b10ac96ae2628fd7305d2c2d5293f57853b

SHA256
65189fb55332e389928b3ee357387276fa1ad0befa03d4dd59ed2f9fd3d3c7fe

SHA512
d98c636c685b48f7f4322c3290c908e9f41881a45f36950d72faf67dc4597611f6306b88e494b7b4535648064dd047b8db0206e443644e404a0c4e8d02e0e14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgwm.exe

Filesize
191KB

MD5
b95739862413c52193615df812ef9bf5

SHA1
f7d3b4b908f8db46b203004cfd7e54666ba8fc44

SHA256
15b14158e99935c6d11f84f3562ee981a582ec7f153d79770afe89dab0d7645c

SHA512
597e40468cc081783b65e768b02acd6e9ee81931f2a1400d7dfcb79dbfffbd7ac2f1e6e770e37a57b3fc8cb2a895edc1a1a828445ce1832bfe811b6e99f2aad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkoQ.exe

Filesize
214KB

MD5
65ff00c7faeff71b646d6deeda51de0e

SHA1
758b3c5438f8951b5ffa56800ce9d5e8c8a977f5

SHA256
30a150dcd202f666f1a28c5ac77c2424991725eb09f7f63a6dcaa05c1f920812

SHA512
7f4d84f1cbd2284b54872b1fd3c907ee2865199115fe163aaf5a9986db6794f7523730cde6f1602547e0d8b5f9f12dae46df90e5a9b1fd7f3a7f6f24f7ccd62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwgO.exe

Filesize
652KB

MD5
0a6ae4065f853797e51f496593191167

SHA1
a4c1d4dd5d026e755e6862f4d56d6390a5d1f792

SHA256
9d22762bb5a49a07e27dd0aaf26c6d041f851d9f6609a74155aaefd208bc0f57

SHA512
85736376c13793a9da720fcb96800d948acae88950b1e01abf68a1da571b4388e2e017e8d36931c6e1dba79b2061a116f7bf162b390a79f63530f6582c888ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAES.exe

Filesize
184KB

MD5
dcc7e9b00ee16c3c35009accb463e570

SHA1
cdb11b5d69056a7b795ff5ff5db03ac978ebad70

SHA256
f83ea496e49a27588291b0f251040b1b48ba46a53c5a9e6cc2b323c52692d57d

SHA512
bb19ef68b843a2838737288035c5c5b1c7eb29f0ac1463396026a85a53fd22b80ab670b5c31ae5d7387d1be4d295ab3130bef157b9f3aaec43135775579a7de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMwU.exe

Filesize
5.9MB

MD5
031b38205575dc6e17d25e0367139573

SHA1
946aa73e97812a9989db6bfd6eb4a937842154a9

SHA256
639c1e841e0a6709e5a279c2f6395e6466d6aa5462f555250311686f58480b7b

SHA512
64ab31d74b910f9fe0b5160ce0dfe8390ca7ba40140fec74a239f45c30242f8394c86c79a104fdbabe95503298c6ce2930b3a394a1a294411b7aa6a00a8f0073

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQka.exe

Filesize
193KB

MD5
89fac256a5a97d26e02184e95b674940

SHA1
199d02c1fdffd7ff2086af32ee5cfc47839bd3ab

SHA256
fd30d4a241b204fdf6138ef317a73dcd3de4563c046885da484396739771246b

SHA512
f279aae67666285e5e9e9e68cb8661b1ab90881614bd31a252f3cc9288e444dd6110a088e5983f6a3037529e2961c2fba6d54d65ab811eda90f891e48dd04c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsMS.exe

Filesize
232KB

MD5
045fc6ca264f412651f0ffd7ec79c7df

SHA1
9afd4231f290029eba70b44a90a5f277956d9ee9

SHA256
9a046702d28575819c6a0a7118391fe67ada0db8d7290381020d7e80c4afbb8e

SHA512
90aff0df21b056bf8c5897c32888aaef68a6bc64970f05b71a12cda2745ca4cdf65a3f0b1ad55e0788f5d170fa1f59caf4efb98d20cca245be1c203697724f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAq.exe

Filesize
551KB

MD5
04ec47847ff8ed244ad81907942ee108

SHA1
d8b6d35e93b9437ad8d31052422fb5f3a29b3fc3

SHA256
087cd6147a875bb8794f8725aae8863680f2fc21b183de9114e96ecdf588e641

SHA512
091193488a8834e1536e65a563e6131ffd424acad247018e30913811c6cb45ae8b1625ebe24c3ce2b006d930cf8def428884c9b35acbe62836e5cc72503d512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUMe.exe

Filesize
203KB

MD5
001d2caccf42d9c84b28620d3e6d5e8c

SHA1
1987ba13c3dc86d0d976db06c5f8910bac0d2657

SHA256
1b31727a8e02fe547f8fb5d09a5b163648092a2e1014419e29ddab23022f9fc8

SHA512
af25fa8ec840f49fcf3c59c488f3f74b20bb8285ae79ecdb967b7e463800430105a1c581efcf6d29219f9eb1f39d9c8a9ebdc5603a4c7b98181bc8d7fbfaf891

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIsA.exe

Filesize
193KB

MD5
6c04e3dc0037b65ba2e50887e608957f

SHA1
2ff56c45b55b92b13b468cf412b381c68ac677fd

SHA256
5f6b783eb9f4573bcd4eb0a2d46a50fa451b275e0a64bd0e0d1c72b9a3b27625

SHA512
5136abb4276188788e5371f8288dc8ae717db209de2f1b1d39f54e21c9daf417fa184061ff0b5aa7944c8d881f86ef4f272194293dea5fb539c68e10668b04b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUkY.exe

Filesize
469KB

MD5
09a7a543526d40fe3d0a8cff164b97b1

SHA1
f8ec1ba4ea81ec9f89fb4a30878d2c63979da4ad

SHA256
cabb41f1ef867a3e37b9452c73bbf6dd21656ea67cb79c8b6cc7f1a745168dc3

SHA512
3721bfa59580669a6e9b6b42af3034e5ce8e686fcec1991e9dcc08e8b249e4d5d4abc534e302cefc334a041884e71a291d0cc764ce6c8070e2285506ebcc772a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YksQ.exe

Filesize
206KB

MD5
e4be83745ad13ac720f4eef762b808a2

SHA1
3735bd8c18ead81d30d0bcda18428c8566253413

SHA256
e249e22846e89f4e055329c101f99bc96c2c4cfee73fbec4b658ed69bf4abe2d

SHA512
a4831dcaecc83db4e950b9422bd452db258ff2612de1619fa2d6213572cc9f71f7f28b658f615b68d410a142abaccf069f2578becd85d8ca2e39e6f58b695ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yogs.exe

Filesize
244KB

MD5
a34bb7e7bf742af17f0b34abdd53847d

SHA1
f5422694a4c6f722b76818e5c6e6fd53bfcc45d7

SHA256
a3cec50d75e3fec1fe2dd63289279af4598e963252d09c29575db4a397c56579

SHA512
94d9ed1bc85ea200f1c855117d0243acfb7761c2bb89f7ef48518b52f7e8758f2727acb04f828d4c874f855a5a93c4bc304e76bd8b52cd612b94b38d30427fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEEG.exe

Filesize
185KB

MD5
d477d72094da63503a6b330277720328

SHA1
0404a054c43e02b19a76fb27d99cc573b59f05bc

SHA256
ced2758ed1ba937107382b1c71b7377799ac2e5180a5a27f48fcd27b00b776fa

SHA512
07ae8717791a2f81e4dbee45d209eb5725780d11927148a3c9014a88af83deb20652c620e1285e3f87ce22b1696223bde55655f0cec8037de4a6d9fd5982f438

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEoK.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgA.exe

Filesize
196KB

MD5
9d8cf161824a97519501512da521e579

SHA1
7d8386955ee81d06ec259e2ddb5b791589e8e6f6

SHA256
984bcd8d16672927843bad5070a29fa004980635debf276d69cdcb1cdd7c847b

SHA512
d3b4021567edd656cb9d6e6406b870c4e6978028bebafc61870c06e4443adcd85356512b951f571c3b2b3ff237ccc03ca82d3720880828655b913ccd5becbbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQck.exe

Filesize
216KB

MD5
faee4cfe5c1574c49b112a517f4b448f

SHA1
e08fd92f2a0b0e3958d128d44a601bbd304bb4a4

SHA256
716de9b1f67af586720e1f0bf521ba1efdee013cdf93c64224a048321155b0b2

SHA512
4cd89dc102c23dd7f9abd46781c8d6316f607f67e71468b54135c59bde44971030ac4ba2e00a128d40b1482190b920b683ab36ec661d281cd1520d5705b8ea48

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEs.exe

Filesize
203KB

MD5
4bfb4bde97c46bc38ae26713b4309b22

SHA1
4348c613a572b5d393e9d7f1f2cc09529450fbe1

SHA256
601ce3f3830f1bc344a8f931a3b2c7cd7e655c7634379ea9bad755a9c7f9860a

SHA512
a970a969967287cd2a4a81a7dde22783ce22fdacae749f66c3f9e8f580c549c9fc86712f7956648a8356733676cf9cb9eac2a9913b132f3c4b440bc8f7206900

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMsm.exe

Filesize
1.1MB

MD5
4ba2a89774974ecc2a0724c8fa0af6c4

SHA1
c30659d3634794ab75e58864880753380a0cf33f

SHA256
2f0b0ff3047ff52737efab9baeb52436c109f473b27336a4ac9d1c19fc4b6b8d

SHA512
fdf5b6a934da26c937886822fad6007fdf8eeed9821664d6d5896d346613bbcb4ee64900c0e43db865c55fbf17304e65995e98a7b33a896404246b16c5c7a212

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccMw.exe

Filesize
632KB

MD5
3a92ba7aa4afcece655118861436f00d

SHA1
259cda1d2ad13bd5df4b724e90be1ea5cf4d8438

SHA256
6727a87aa543c071b831845e8099ac0509925b3f0749c2c65e24112921764d85

SHA512
3d4c91ac44e2205e3a7ec151b6705b423d2d23701788af94b5e8760130de6cfc849c44c5e659c422e29572b7a95b9e29169997d45b1d0d6e8a619b75070da5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckYU.exe

Filesize
191KB

MD5
1aea96a6b9c407856b3e05a8351d7bad

SHA1
2bd5544044bf00883b1e4a1a7e5df3f200ba237d

SHA256
3d6f1813ec1adf5485e0fea21aaa9c1a0ab58b4fc03695d5f5ef5e90eb30525c

SHA512
197b9b4ac22d3ee10a4dc0ea6c390bf51aafe1c597d2d8f56ea4260e7c137de5911f2d21e4b17aead6df79d17f1c98796f070283b90e8020fc30989978aeb0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIcM.exe

Filesize
812KB

MD5
f3fb437ea490bdf37b205efe29b11701

SHA1
403d281320c42de27bf2f4f08a1598093299b0a6

SHA256
1c7828e0da512b5f3b1e39c603d691304fcb812ac8c486a355959d98250971db

SHA512
701c4d6a3f6fa34eee158c7d761ac171fc14611035b150f7333b4bfc6877131dfb8d28609b513b0a26c820f522bddee47cf4335bf803997e9399190c58cb5292

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEA.exe

Filesize
1.8MB

MD5
6a0536cce2a058472fff9b2bf211ce32

SHA1
7b3c96b04cb6babae33a0937b19b33887d25fea9

SHA256
9ff20b1bca82d95ca65e9bc617189377d55f5bb7e0a33fa3c05fe19f7ec9b881

SHA512
5ad11fafe5d0f92e52c4b5a5fd97a0f936a00fc900710732cda2c31b81c1c20c1a06d6b0469724b3934b724d3657286db1ff4f2a47d779876356bb05aa9bc876

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQcQ.exe

Filesize
314KB

MD5
86314ae4eb02f40753bb979bc94d0636

SHA1
298e298304415b3c56f728855a3388c5931ba49c

SHA256
baa005911c105a898124f27641ee4420b740a1ec8ae5eb292b5b7d1c5926cc7c

SHA512
8c75791fb040f65f8af3738b4be54090e5e71a1c1ad3888b0d1b114fcc1e29d6500a3dfc5d84788df23f8b0379dd5d7209006215cd3ba9a95ab62f19fcf70ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\egso.exe

Filesize
814KB

MD5
d286ed2fb6ffd2be297d82b78596779c

SHA1
4598aeadf035c3957c13afd15f67186da7e4f953

SHA256
ea354cd4be99c52a3c408258c6c5788f0d380e7ef79a6bbc84df1cf13afc45a7

SHA512
594f1e802f3577f9d8b1526d690b342ec58f9ac1e636200e8c707273b00a11bccf39e50459009836371eda2bf802acc109ba9d29089eda7da9e5c4d62ecbc980

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAMG.exe

Filesize
5.9MB

MD5
a892e58201c535cde431314c17559c9f

SHA1
7ffa47a66a4c62c6d925a428542d645f00bbb874

SHA256
8ace31271e4b68721dd2d15f844faf283b934065b4cf8c938f2dbc71579b366a

SHA512
2fbc5160ec43ce5a593daf8e186e1310f48d1992466907fbfbdcf0f693f75e78ca9078f515c2950f6c94fa4bc3a2b081c4422170dbff0e9a7e81f3ed3689eca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEoc.exe

Filesize
632KB

MD5
f353309719e9bbd2644464fdfb47a7fb

SHA1
283ccaaaacbcce05ce29b1e0333dffc6e0be6c30

SHA256
f3f9f759c9f593c5d9bbd9f8379a614292256fa9ead5dda412208a6f01db9fa0

SHA512
897695ea4ba0e40af0d0d9a4ed085f11886c5dc4f449b9b4d433ec90d623d3127210cb878f82b34e893fe9fe7c0f7ff02c5b700a1a6d3c010514ade1bd7f87fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwoG.exe

Filesize
811KB

MD5
eae9e3b077868838cc215110d343f577

SHA1
a0761059398e75e147b4d73d34a51bff6419310a

SHA256
1fd26a83a7975e23397d20e41684e666566912a7462cd199630da15cff60cd93

SHA512
555d76b73569d132b30135bb86106d30f417200d783806ae42080bd16f86b4ba5d50e2b77c46bdcf6405e51e5fa0b13656ac8db6f3f652899d2c41c39aaf2a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEUM.exe

Filesize
207KB

MD5
59bb2cff6f261d7e3aa8a3f356dff43e

SHA1
7ad4cdff3916650838c3905e1babd31e54d47669

SHA256
40f03cb4bd828c5d06f37304be2662df3a64c03e506ddc7eba564f254fd5276a

SHA512
8aa61387965d360e7d409cd11a9f9c725a2d9a25cdc938c491e76f3086542c0c42406f8d1b22b8f855919b1fd36841c6b9c234af4a9d4d41e0e3a71ae1679809

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwgi.exe

Filesize
181KB

MD5
13e0571a9ca290b37a37a5d243785260

SHA1
431a41730cf9c3cbf1529794770b9e0601882b5f

SHA256
da4f8ffaafbf77a822bdcb23ecc75866eb8012b39889293d7c509067abec9b30

SHA512
e23fad22fe493b21f471e291bb33d3a5c724c320edc403e22c1e5b7dfa393d65b8efefabe9052d1a19e6a4020cea72cbd7da7873436fb80cfe16c0426103aa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiAEgEEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEAc.exe

Filesize
206KB

MD5
04d7bc64c1d27456a3ec92e7e218c549

SHA1
acbe560abd8e804855cd602cb3389874c8185c0f

SHA256
53609214817146a52f5ccea9c233b89e6384de50acd42705772d9f678a4ef222

SHA512
cb1fdbbe7768ce64b28e99c415e94b1b2f6abbc05bf328132aef2c6f87ac49f99208118b3b0fa754de52b99f7321e9d9173c872460e9e409f5d3aab8e8808e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEsW.exe

Filesize
190KB

MD5
d370687ef666d2a322abf8f8af93a6bc

SHA1
ca5eb8cf4ce5f0b1a39d5c17e5b71451c8267dfe

SHA256
769c694eb3d9112c5b0117d800c17f6a55b656be44e8dca7698e361cb6113b3b

SHA512
f57d88ac42c72241105b6f10b04ff83f345b0f852e82ba2993bc1af197e4712402ba1f5946d6347c3b6ffe19937f84578d44c4dd9637ec151dfe92645e43207a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMIg.exe

Filesize
822KB

MD5
7ea2b5ed18a139a5d8e54814fab9bffa

SHA1
56957cfa39258ed4555aa20b774ed73362d303af

SHA256
206146ccc716ff8d14afe37410df98f7af8253c2f3430061f5d3a3a92a2383db

SHA512
893aec880eddcd6db884c156142ebcc206539ebca04b9e27ccbe1c61430a15789b2bfe0172c7ccea8462b80ba21e227ff5e26377a8d612c86b5648078064dd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMc.exe

Filesize
214KB

MD5
f915335eedf24e901a3e28f250ddfe66

SHA1
1532f2492da2732ce29ac5632a3d1270da3f8ca2

SHA256
9f47a1a1a1e510e7f74cded1fca055d44626f9755a746a8dc93d2babfcdf6563

SHA512
2d80c221498f643459be82a4fb350a853c3cbf951bcdc79f7572587d64cf1026fd61533cdd482672c033fe4dcdced2a859119aebcb71631334902a6e26b03387

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUcC.exe

Filesize
427KB

MD5
ac37fe3e7593991feaf3b20c9f1b1b35

SHA1
00914420e23bf0ef1ba77550820ce475d081e050

SHA256
d42fd2eeca7a3bbcf8511fbaf678ad213fdb6ca35d2cd189a975ed7d940b8155

SHA512
af0d1cc0c73fe4cba74f0111750b048478e7f8193fbe960c60355588c0cd33550e80ac78259644a36138283a5cff0d6ab8b80ab44f6f0479ccafabc6843bb355

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcg.exe

Filesize
835KB

MD5
555d87f632d1a4c76617da1758ab63ec

SHA1
14c8bf69ef6f3cb5dd5cdcbfaf25eb84cb0c82db

SHA256
5aaa2419fb5e7741ae224e81498256d1d1feffcf89e66a5746fe9271ca3186d3

SHA512
d669eeea691529ca8072717a3ee90bbdde078e37472d06b5ddaf523517c1d6e694ef45bfbd90399ae04d77909abc7de898dd70815df82b8d87f67ef2d5ce6e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkco.exe

Filesize
436KB

MD5
6184406a33aa677844fc978e4980464c

SHA1
0e76bbc485b086ef906a2ed1cae8d6d3b4e42974

SHA256
dd6fe822711fdc93d79c36b1b0d207f1bf6c5348b13a6e79984085e8864f60d8

SHA512
c5b4e4cdd6128b2285dc61fb7cc36cb22b0d9e5c72722bffcaa919bbd91dbd70cc0a0ebed16ea040950566eee0e15ad2c0479e4b0c734b7f1d55286f4a33a741

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYIQ.exe

Filesize
638KB

MD5
1c078ab98a28c721e1fa65f689eeb84d

SHA1
706f234573fc5e25710e6a06c5cdd13d34bd8ab2

SHA256
1a6b916ef457a6fbe2eaec4d25350376d537e77e4dc5e06afd13cfba71a2a384

SHA512
e002a689c26857615f2a280e44d4df3900e320a3f25e471f18aa0b53ebb4b17dff397b580820d2ce984b29fe3c30e24cf2a127f896b4c1bd27c93f30afb35773

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocMG.exe

Filesize
311KB

MD5
c6e27473c2da69c5ed2ac89df870f01a

SHA1
1571605f8b70602c799febc1cb7c10c889504a12

SHA256
8eb216757c42a0dcd9266346e369a5e9d536fb1363f4e1497122d54c19274679

SHA512
ce4445b799970ef02f6f933e7ca3469436509546c4a74e45f41131f400b2a0427e09ec926488c6d7ce44930d9e21ef43c60771cbfc3465f465d972ee0b67e62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMa.exe

Filesize
199KB

MD5
86101fbe0f9988b61f360e3774bfc6a6

SHA1
8fb764eb965011341bf3ced0af757e077951a30c

SHA256
1ffe48468964fb4f963694f0457b8aaff58b711bb147c617d2bf6118f8217ea0

SHA512
7148ac9d8c3b49848238472a8e6393c58b2f8e41bbdd6b680b417d1fbfb31a546ebc3b69b164947450d67adfeba7d4f56e4d9681e77585070b5e9e581f15fe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\owAw.exe

Filesize
187KB

MD5
4c883706d8c5a5e37d555768b87befbc

SHA1
87652449bd3f3e250a1ab59d36688fa2016c940f

SHA256
80cdd32940726ddd5f92e7708d2a0dc6a26b45c4ded3a1b52e66aedb2e29b0ba

SHA512
3596f8fb3a9354783836733950426e7f6a3a9efdfa62c93ed64e7f1161f96a07d8f14961b3a98d17cd9f94e2890e69e7d7c58faf7f53574b2ac932aa263ed908

Download Submit
C:\Users\Admin\AppData\Local\Temp\owoe.exe

Filesize
199KB

MD5
eead4b9339eedcaf96485b8bec8bffca

SHA1
c46460223564c3ac95625343f9a0454d176b1c93

SHA256
5aee339ef7af9d0ba112a0d476b7c3bf9e04f2fd39eecebe1011f2ce78bbda17

SHA512
53569a455fb800f8efc5c5aa09dba32d8c071fa3abc252105a7bf3dca8f29ababd10a5bc25780d48d65386cbe1c69cd377466671b712e270eb92d425a59ef0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIAy.exe

Filesize
649KB

MD5
d1eff3b55780da00059a15d2c7a7ded2

SHA1
1ad8c9807f91906598616e7b5afa3acc24406acd

SHA256
9196e5372a3f93c78e43230f83257e8c7af765101c02604225f019f450cb5698

SHA512
60aaaa1ffa9842d5682d2db7b413e85b4098570f5eb0de3a2ab5a2dc8f8f9ef544a6e79a3576ec1d700faffbdb162b7995fb99c122b5711f74e3216a51acadab

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgkW.exe

Filesize
188KB

MD5
687abb6dc8fe3b5d59d7d96d064b0a3a

SHA1
94a6aeeac2963bc22989fa926c52e3d10cedf863

SHA256
6c090b71795a1f62f76bb70d01dcf11b2c1e2b60d66b1fc92d800e10c8e8bfca

SHA512
bda063097b27519b3a94fb97c0bb9e7add400cddbe1e54c0021c9da45835b546483408f378d157d596c8748c30886cdec9e7ded9a21c26a1a3d9925edf5cefaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkcc.exe

Filesize
766KB

MD5
cac81cd70381fa8be5c0248beafddf35

SHA1
0c2353ec52fd539c7481aebbb90b8aba49a7bb4a

SHA256
c2614bb96f3df7b7e58af31ea7d29687d0824f2195dd54cd7471f8a0bc4480c5

SHA512
c388f79d141e92a3cd6b4e1d36df2ca09cdab6a2dc83f42aa3ca81d37932955148039d34f43fb5fc2beaee697d7fe8c70d0a603e0b4d32af28e7a29461162514

Download Submit
C:\Users\Admin\AppData\Local\Temp\qose.exe

Filesize
201KB

MD5
ed17beffcd6cf44a02d9ca3feabc44f2

SHA1
6f9b3bebaf263e7c36f3ebc5a38c7aa9d22a27d9

SHA256
d79445d083573f77d299de225b4fb7361be49ae3cd9af0867eebc6c881e1eeed

SHA512
d1406c2a1b1ee41484e78acd1f6d6183b083d0ee6879c1a4baf0968d3a9cc2f2f317b34c0b90f8fec690eaac9e6d8740272991935a85f48a291f6879e460ddc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEgC.exe

Filesize
203KB

MD5
a3b665c53593af2db8f4c405576bcba1

SHA1
08f59d04fbcf5ad3cee963afbdc9f8bd98f7f893

SHA256
393730208b058d8622096b8dd42150a998ef1fcdc46723769bf2bd9bbd74fb57

SHA512
7b674ece50c37a48ad169d03a275862c6763e26e405260f91a8436eafc1a6f8a4b144186e2ef8dc108b91cbb4555ddb3f6e1e6dffe8367b26576445ee60c7ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUwy.exe

Filesize
203KB

MD5
73e3b2f720fa73516dee0bcc8b61a3c9

SHA1
811ed0e2efbb87fe99b4ca1cae7535d048c6915f

SHA256
08bc28bf58859b10ea9a01fed132d2375f92550d2792e794ca919bf1abf2165c

SHA512
5d4dbbf9f72dc59bf2e83a241c099ad4009a8da41efdf4c50738fb399d2d4efb622400a7beec36df453faf7b7617775541c59f8a455344fefdacd18c25e6814c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAcg.exe

Filesize
193KB

MD5
515fed5317270a94e1bc18c034194cc2

SHA1
4e98ed8504f7e2903e7327e524114b36e69408ac

SHA256
2cde8e26a0d4973079b330c8b9c66235220f85d91a0c4421d310f96ae570a2cf

SHA512
a242e393b1448664284084348a4cb734d585f46632ccdea0493ddaa793d525aa2516e4a6119088a045390c6c01e70a7247236a662ea0f9a43fc9e5a934c478d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAck.exe

Filesize
186KB

MD5
19251148f6b0b473d7e4367bddec3012

SHA1
6c6660c2a0142046f56fdeae891c3adf707f6dcf

SHA256
a7617352d98527dfea67792d05b87ff9965ef47a7443c98442b1df4820131754

SHA512
2957672dc37e66ae5d52205b29cc01c49574864e28d4b8e61493cb994fc56cd39d048136f530295c9513d401f82613a77e9ac275ae5bc2ae39b49df7b64a2d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYES.exe

Filesize
540KB

MD5
1ea49657d71d5f09798013a472e9a5c8

SHA1
87a7e9a97921a501b35551a8039c046a4b45f0a7

SHA256
a864b19230400107d2c2f8ad1850192b10c8f4640115392b9f0a81f2103670e4

SHA512
c883e20446dbf2f0213a8279f6fac8cdfacde9ab3f9db5bfa1417d913c57fbf4786f1210bd0852b3742e737f26a56b8d6e9c94399aa0772abc64c8bfcb942a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYca.exe

Filesize
314KB

MD5
2259f58920f4a659b160aca532fbc4e4

SHA1
86571af74bc7499d79892657e3f4b45d8b91ac2b

SHA256
5598efd0fade982537226a652ec3707b3653e14a69707c51b74a80af37241dce

SHA512
202046810eec75ecd5915b68c5949993beab830aa7eea1efba1348802284bd2da3b5ce1a60a6064a353615a3324d58e82d110b939e32cda82194d872907946d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucww.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukge.exe

Filesize
222KB

MD5
2554a078e4b2d8a7df5b32b958d7e7c6

SHA1
b979549c41b8e73e4e962f039c4e8bc2cf15f393

SHA256
c7a48a6a0d72199c4315163af007ea6e4a59888e1aacec496939ce631357425d

SHA512
63a7d55a03890f10d23d2425235bf2d290b40967603e09334fac663b262b27c70170c2c8b236aa6af14e5857da70540d847589033662f182fc23b71ae7a65de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoMm.exe

Filesize
206KB

MD5
7b0539b9a3c321d078415e2d2dea6532

SHA1
f7a57e3ea604e7477efcb5bb1999bc19f15d65aa

SHA256
d66d5c9503525ea7b89d2060efa04f90bf287f6e6f288305e8a71450602e39d1

SHA512
727fd599f6870800f9b12158be383050363b98a6600e7ae93972873d0eb624f6e560e95aa3d5462e42b083c9857b121e3421573e60595d3cb4e747c8e3507061

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosY.exe

Filesize
190KB

MD5
373bed7ad940eec97ac08263149a368d

SHA1
a37945ddc4bd251a4a035fde456d8d025cb485f8

SHA256
767b82af3758cf43d8f66c1c31007842d6c3ca517c839fd5f3171923beb3e91f

SHA512
6ffba856f95b460214f302bfa82ab2a10bf70bd4d2c712cac6fb6d2a2ee3c78f0adc15e37943d2d1b08f8ee462567845816a93b0ce1c79102caea59ca07a1613

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgoU.exe

Filesize
224KB

MD5
899c0a8936b30b3802fbeaf8898e8938

SHA1
dbb44364e1108d835468f9507b8bd14b25931b75

SHA256
301feceb9d4dd0b438c8981f68dae460418d144108e01bdedaa9141be4f32cb0

SHA512
c77e9464c0c2752164f84edd69b23d8cdda08e209559ee5967ff1d3c0a7e13ebd530a724c09a378aa28bb2b4a442ec998a32c2c37317f35384449c628adc300b

Download Submit
C:\Users\Admin\AppData\Local\Temp\woEQ.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEUm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygoq.exe

Filesize
192KB

MD5
052a5827fb3ef04ef8b4ab29958ea08f

SHA1
e0ff7949eb94b04bda15dd97c492b2a44643d99e

SHA256
e339c27978972e96af5e69dc5e6cfaa90852090c748e727ac71a1c42e91b2a09

SHA512
1765de7fffc0e921977e92ec412915ef6dd996f3da34f07cecf27b0826c7e1844f63fd68d5acc6011195d8117bc6c776947e9af82c1e0adf97afdacabd3dd47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykAk.exe

Filesize
207KB

MD5
42c643aa2eec0d8b7bc32cbcad64e849

SHA1
0203c60224e4863d463f9bffe77c6d7f7990c242

SHA256
42c952813c882794d8f8fe57253fd7389652059bd2f03b3c65ab96d7d00b159e

SHA512
7c32a00d368f611c96c0a9272c948968bf04eac6e785a48befee1177e6b1afbcdcba79cd2a9d455b6c441e55706bf7a0d4a68b3e1153c6bdecbcb2b0cb2be5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoMS.exe

Filesize
194KB

MD5
f7175ecbd584456203e0c6e0b28b544c

SHA1
2fc420e996ac8a45984d63cfa5adaddc6020eef6

SHA256
1c4199c9888757c0466c4b7707489b0d8c21b23719e69b88369b4d7c6212d7a2

SHA512
43d50aa0167cb2fb1cd996e26e0918ddd2b79588b81798cf1f556a2af00f0f298dec14cf61118508c2792b54876d40f83b73ca285bcc5c35b7051aafa61b4067

Download Submit
C:\Users\Admin\eCEgMsQo\pAcMggcw.exe

Filesize
195KB

MD5
331eeec005739e912045e840ddae553f

SHA1
8d3495c7f234fd838ff2418ba1aee695a5c62d2a

SHA256
d98b9e1b9067819d526942cc1413315dbe8bd13049baf7556bd8aaf25087eefb

SHA512
0c908aa51e4e9a913d86e77b10ff5cc81f073a913294e0ac241511449f2e868e8e9341730e100de4ea74b71168f2759d8687208f7139b9b2df333f64474dd10f

Download Submit
C:\Users\Admin\eCEgMsQo\pAcMggcw.inf

Filesize
4B

MD5
cc6805f0096a7453ed14cd94617948f5

SHA1
0b9aafb71520ba3120e62ff7a7fa17415be0d905

SHA256
c891d8c426ea4ac783f3fd549c0f43c30de4496f8d25a9626cdb9f48506ea6f9

SHA512
13f46b79366a01254b809b74bb9d1ee29e955c1fccc52e8d403fed983d1a19ececb18847e33a6796c83d229ea570683aa24825afb4d7bb19124c9e92f54c6f6e

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
f1a7829965f69ea360fb753e6d28d4f7

SHA1
4b05be6b75b2299899bea9d1a214b5577afc7400

SHA256
64fb130086a7f8a27ca71ade8d06c77ed1c97af4a6bbc62d956bb52c8df7791f

SHA512
13ff2b3f5714c0b3009011da891f2e79c289310ec13a919f1236550acd984fabd7ef4a7342da8ecede78057e4f365f625c7e3cf05c008f98ff3d1c9e15ffeabd

Download Submit
memory/224-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-682-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/928-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/992-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-618-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-637-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-629-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3108-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-610-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-664-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-638-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-656-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-691-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-696-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-665-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-673-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download